The European Commission announced this week that the trilogue negotiations between the European Commission, Council and Parliament have resulted in a political agreement.
This is the first stage in the implementation of the Regulation. The consolidated text is now waiting for confirmation from the Member States in the Council and a further vote by the full Parliament in January, after having been approved by the Parliamentary Committee on Civil Liberties, Justice and Home Affairs this morning (resulting in an offer of champagne all round!).
As with all negotiated documents, the Regulation isn’t perfect. As Jan Philipp Albrecht, the Rapporteur for the Regulation stated in the Committee meeting, the “result is something that makes (as we intended from the beginning) everyone equally unhappy, but at the same time is a huge step forward for all sides involved”.
But this means that soon after you return from your Christmas holidays, the countdown will begin. There will be 2 years in which to implement any systems or processes within your business to enable compliance with the new Regulation. And hopefully the nature of the Regulation will mean that you will be able to have greater certainly on how you implement those, no matter where you are in Europe. However, despite assurances from the Commission that the Regulation will put an end to the patchwork of data protection rules that currently exist in the EU, it is worth noting that in some instances (based on the current working draft) Member States have some leeway in setting their own rules.
So what might this new regime mean for your business?
- Implementing privacy impact assessments – these have been good practice for a while, but now will be required in certain circumstances, although SMEs will be exempt unless there is a high risk to privacy.
- Data Breach Notification planning – what would you do if your customer or employee data was disclosed or even destroyed? Having a plan in place will be vital to comply with the new rules on breach notification.
- More access to data, a greater ability to move it around, or to have it forgotten – if you are a service provider, how will you implement the “data portability” requirements? Are you ready for a potential increase in requests for information – have you got a policy in place so that employees know what to do if they receive a request for access or to be forgotten?
- More specific requirements around consent – are your methods of obtaining consent sufficient? Do you process data about children? The new rules provide clearer, but potentially stricter, criteria, and failure to get appropriate consent will jeopardise the value and use of your data.
- More responsibilities on processors – both through the Regulation itself, but also on additional contractual requirements set out in the Regulation. Controllers will need to make sure their contracts with processors are up to date and contain these necessary provisions. Currently, many won’t.
Most importantly, now is your chance to take the opportunity and the impetus of the new Regulation to focus the business’ mind on protecting data. New enforcement powers and substantial fines mean that what may, in some European jurisdictions, have been considered to be a relatively toothless set of obligations now have a bite to go with their bark.
We’ll be looking at the individual aspects of the Regulations in more detail over the coming weeks. Please come back for more information about how this important change in European data protection law will affect you and your business.
For more information please contact André Bywater who is a lawyer with Cordery in London where his focus is on compliance issues.
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785