New data protection laws are coming into effect across the EU this spring, and they’re set to be some of the most stringent in the world.
Here in the UK, prior to the new EU Data Protection Regulation there was no actual legal obligation for organisations to report personal data breaches to anyone, merely a recommendation that the Information Commissioner’s Office be made aware of serious breaches.
This seemingly lackadaisical approach stems from the Data Protection Act of 1998, prior to the days of mass Internet usage. The new EU regulation will reportedly be much more in tune with the age of smartphones and cloud storage.
New Obligations in the EU
Now, data controllers must notify the appropriate supervisory authorities of any breaches with the potential to cause accidental or unlawful destruction of data, or the loss, alteration, or improper disclosure of or access to personal data that’s transmitted, stored or otherwise processed by data controllers.
Not only do data controllers now have an obligation to report breaches, but they must do so within 72 hours, which critics say may be an extremely hard target to meet for many businesses. Should the 72-hour restriction be unmet, the company that experienced the breach must provide an explanation of why they couldn’t meet the supervisory authority’s deadline.
The only circumstance in which a data breach doesn’t have to be reported under the new regulation is when the controller can prove that the breach is highly unlikely to result in the rights and freedoms of individuals being put at risk.
Documentation and Notification
The new EU regulation will also require that all personal data breaches be documented by data controllers, including the facts surrounding each incident. Furthermore, subjects must be notified of the potential risk to their personal data without undue delay. This includes the possibility or occurrence of fraud and identity theft.
At present, the ICO in the UK can issue fines up to £500,000 for companies that experience data breaches. This is another aspect of the new data protection laws that is set to change. Not only will the laws around peoples’ data become far more stringent, but the penalties for not following them are increasingly significant.
Under the new EU regulation, companies that don’t follow the guidelines for protecting data can be fined 4% of their global annual turnover for the previous year, or up to €20 million. That’s quite a hike in fines!
The new regulation will also offer the right to seek costs for any person who has suffered material or immaterial damage as a result of a data breach. This compensation will come from the controller or the processor, and some experts expect the result will be an increase in data subjects pursuing legal action when a breach occurs.
The Effect on UK Businesses
With the new Network and Information Security Directive, many large UK businesses will be required to implement new network and information security requirements. These include organisations that operate with essential data or provide digital services, such as banks, energy companies, healthcare providers and cloud service providers.
Companies will be responsible for data compliance under the new laws regardless of whether they’re based in the EU. What matters is whether they’re dealing with the data of EU citizens.
Principles of the Change
So, what are the changes that businesses must follow? The essentials can be broken down as follows:
• Data must be processed fairly, lawfully and transparently.
• Data must only be collected for specified, explicit and legitimate purposes.
• Access to data must be adequate, relevant and limited only to what’s necessary.
• Data records must be accurate and up to date.
• Access to data must be in a form that permits the identification of subjects no longer than needed.
• Data must be processed to ensure appropriate security of personal data and protection against any unlawful processing, loss, destruction or damage.
• Special provisions must be made regarding the data of children.
Data Protection Changes and Law Firms
Like many other businesses, law firms must prepare to adapt to the changes, and these changes are stricter than ever. This includes developing new behaviours, not just being aware of the laws.
It is also expected that there will be some legal limitations to overcome, which may keep legal professionals busy during the transition period. As excuses for non-compliance will become much harder to justify, lawyers are expected to be kept busy with advisory work for companies that need to change their policies and the way they operate.
Time to Act
With the directive being formally adopted throughout the EU this spring, companies will now have two years to adopt the policies and practices expected of them. Furthermore, the two-year adaptation period will give countries time to bring in national laws regarding the implementation of the new EU data protection regulations.