Overhaul of EU Data Protection law approaching

Earlier this week, the European Council reached a general approach on regulation for Data Protection, bringing a complete overhaul of EU Data Protection law a step closer.

Before the proposed regulations become law, the approach will be debated by European Parliament, the European Commission and the European Council.

If made law as they stand, there would be significant implications for businesses operating in or with companies in the EU. Described as “rules adapted to the digital era” by the European Council, they could be agreed as soon as the end of this year, so it’s not too early to start considering how they could affect you:

One-stop-shop approach

While currently there are independent watchdogs responsible for regulating data privacy in each member state of the EU, the new approach would standardise rules across the EU – in theory, simplifying doing business in the EU.

This would mean that companies within the EU, or those doing business with them, would have to refer to one single unified data protection authority and data privacy regulation.

What this means for your business: the changes to the law are expected to be relatively imminent, so now is the time to start planning for a potential overhaul of your own data protection policies with a view to complying with new EU legislation.

Increased consumer protection

The new proposals include strict regulation around the collection and use of personal data, essentially giving more control and rights to individuals where their data is concerned.

This would include making it easier for consumers to access their data, the ability to remove data from companies’ databases (the ‘right to be forgotten’) or easily transfer data between companies.

What this means for your business: when collecting any data about consumers or staff, businesses will need to be increasingly transparent about what that data will be used for. The regulation also mentions ‘unambiguous consent’, which will have implications in all instances where customer data is collected, across businesses.

Security measures

With proposed fines of up to €1m or 2% of global annual turnover, which for large corporations could amount to figures surpassing seven figures, there will be an increased need for businesses to implement security measures.

As well as the increased fines, data controllers would be responsible for notification of individuals affected by any data breaches, protecting consumers whose data is compromised.

What this means for your business: potentially huge fines for breaches, and additional requirements around data privacy are likely to increase the required investment in data protection for all businesses.

Data protection expertise

Our Compliance Essentials eLearning Suite includes a number of modules related to Data Protection which are aligned with the latest regulation. As the EU Data Protection law evolves, so too will our eLearning courses.

Implementing a programme of eLearning as part of your Data Protection policy ensures your staff have access to training on the latest legislation, minimising risk of data breaches and fines resulting from non-compliance.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”