In January of 2016, the European Commission revealed a draft of its European Data Protection Regulation to replace the previous Data Protection Directive of 1995. The reforms consist of two instruments: the General Data Protection Regulation and the Data Protection Directive. The legislation aims to create strong data protection and privacy laws, streamline legislation between the 28 member states pushing a digital single market, and boost police and security cooperation. This represents the most significant change to data protection in the UK and EU since 1995. The reforms will replace the out-dated patchwork of national rules that have only allowed for small fines in cases of violation. Any legal entity that processes individual identifying data will be held responsible for its protection and this includes cloud providers. The broad ramifications mean third parties will need to be vigilant when it comes to securing the data of others and data owners will need to thoroughly vet their partners. In the event of data loss, as a result of unlawful processing, users will be entitled to claim damages and pursue recourse through collective redress procedures.
The changes are expected to come in force in about two years and will set global data protection standards. This is incredibly important because businesses will face financial sanctions, as high as €100m or 5 percent of global revenue (whichever is higher), for any breaches. Businesses can also face further reputational damage as cases can run on for years and receive a lot of negative publicity. Most senior IT managers in large UK enterprises agree that the draft data protection rules will cost their business more. Managers may feel that there is plenty of time to get ready for the new data protection framework in Europe but early preparation is vital.
To that end, organisations should consider implementing the following policies in order to successfully transition into this new era:
- establish a culture of monitoring, reviewing, and assessing your data processing procedures;
- aiming to minimise data processing and retention of data, and building in safeguards to all data processing activities;
- make all employees fully aware of the implication of the changes and train them in the application of any new policies;
- for organisation with over 250 employees; employ a data protection officer to act as the focal point for all data protection activities;
- refresh your information asset register so it clearly identifies what data is held, where, how and why;
- re-write privacy policies in plain English to comply with the new guidance;
- establish processes and procedures to handle data subject and data deletion requests.
The bottom line for the legal industry is that businesses will be heavily reliant on legal expertise to review relevant contracts and systems and it is crucial that we are cognizant of this developing area.