On April 14, 2016, the General Data Protection Regulation (EU 2016/679) was formally accepted by the European Parliament. In the summer of 2018, this new regulation will replace all national data protection laws and regulations.
Fast-paced technological developments, globalization and the giant scope of collecting and exchanging personal data were the catalysts for this new legislation. Europe wants to set an example with it in terms of privacy protection and individual rights on the matter.
The new legislation brings lots of changes and even though 2018 still seems far on the horizon, organizations will need that time to take the necessary steps to comply with the legislation’s far-reaching demands.
The EU regulation is applicable to the processing, maintenance, storage, distribution and removal of personal data by all organizations that in one way or another deal with personal data. All actors in the end-to-end data flow have a shared responsibility in the matter. Personal data applies to every bit of information relating to an identified or identifiable individual, structured or unstructured and in a digital or non-digital format.
Individuals have gained several far-reaching rights: the “right to be forgotten” and the “right to get access” to which data an organization collects and processes. Companies that have already undertaken steps concerning information & data governance are several steps ahead of those that lacked doing so.
Note that the required measures for mitigating data security risks are not solely of a technological nature. Organizations have to adopt all sorts of new principles – such as Privacy by design and Privacy by default – during the entire product and service lifecycle they offer.
Performing a legal check when starting an activity or a project definitely won’t be a frivolous luxury. Organizations also have to demonstrate the organizational and technological measures taken to secure the personal data from breaches. These measures need to be documented and be at the disposal of the EU Privacy Commission at all times.
Companies collecting and processing personal data need to inform the concerned person and get his or her explicit consent. For parties introducing new technologies or automated decision making using personal data, it will be mandatory to perform a “Privacy Impact Assessment” and to apply “Privacy by Design”.
The responsibilities of companies (the “data controllers”) collecting and processing personal data are far-reaching. The subcontractors, consultants and implementers (the “data processors”) appointed by the data controller are also held responsible and need to comply to the EU regulation as well.
Most companies will need to appoint a new ‘role’, i.e. a Data Protection Officer (DPO), who offers advice on setting up an information management system. The DPO position can be filled by an internal or an external person, as long as he or she has enough leverage to enforce the required changes within the organization.
Organizations that will take appropriate measure in a timely fashion and that will be very transparent about their data handling will be able to realize a competitive advantage versus organizations that will be seen as untrusted. Furthermore, organizations that do not comply with the new EU Data Protection Regulation will face heavy fines.
Knowing that we’ve only seen the tip of the iceberg, the time to act is now.
Want to know which actions you need to take to comply with the new EU regulation? Contact our experts or ask about our certified DPOs.
Special thanks to Regine Dhaene for her contributions to this post.