The European Privacy Regulation has been adopted and the clock to ensure compliance started running, what changes for companies?
After years of waiting, the EU General Data Protection Regulation has been approved by the European Parliament and now published on the EU Official Gazette will come into force. From that time a feeling of “panic” is arising in most of the European and non-European companies offering their services in the EU as they will have a burdensome workload to deal with by 25 May 2018.
What are the main changes introduced by the EU Privacy Regulation?
The EU Privacy Regulation will replace the Directive 95/46/EU that was the backbone of European privacy regulations, while the E-Privacy and the Cookies Directive will remain in place. I will dedicate a blog post to each of the major changes introduced by the Regulation, but in a nutshell they can be summarised as follows:
- Applicability to Non-EU entities – Non-EU companies shall comply with the Regulation if they target individuals located in the EU by profiling, or proposing products or services;
- One-Stop-Shop – A single national data protection authority will act as the lead regulator for compliance issues in the EU, where the organisation has multiple points of presence across the EU;
- Consent – Consent must be explicit, rather than implied, but in case of processing of data for marketing purposes it is made reference to the possibility to rely on the so called “legitimate interest” exception;
- Data Portability – Companies must ensure data subjects can easily transfer their data files from one service provider to another. This might be particularly relevant in case for instance of Internet of Things technologies such as connected cars;
- Right To Be Forgotten – The right to be forgotten previously only provided by the famous decision of the European Court of Justice is now reinforced through statutory provisions;
- Higher sanctions – Financial sanctions of up to 4% of the annual worldwide turnover of the breaching entity will be applicable;
- Data Breaches – Companies will be required to notify the local supervisory authority and in some cases affected individuals of significant data breaches;
- Liability and Data Protection Officer – The burden of proving compliance with the Regulation will be on companies that as a consequence shall adopt internal policies and procedures in order to prove their compliance which might be relevant especially in case of data breaches. Internal compliance shall be also guaranteed through the appointment of a data protection officer that will be compulsory in some cases;
- Privacy Impact Assessment – A privacy impact assessment will become a mandatory pre-requisite before processing personal data for operations that are likely to present higher privacy risks, such as IoT or Fintech technologies, to data subjects due to the nature or scope of the processing operation.
- Privacy By Design & Privacy By Default – Companies shall implement and document the adoption of measures necessary to ensure privacy compliance throughout the process of designing a new product or service, following its marketing and during the whole life of the product/service. Likewise mechanisms able to ensure that, by default, minimal personal data is collected, used and retained shall be in place. As previously discussed, privacy by design is a compliance obligation, but in a relation to technologies such as those of the Internet of Things for which applicable privacy obligations are uncertain, it might become a valuable protection. And this is even a more valid principle if privacy by design is accompanies by an approved certification mechanism able to demonstrate compliance with the applicable requirements.
You may find also interesting: