Following revelations of businesses being unprepared for the new EU General Data Protection regulation, Crown Records Management has put together a quick three minute guide to the new regulations ahead of next weeks’ meeting on the legislation.
What is the EU General Data Protection Regulation and why is it being brought in?
The EU wants to reform data protection and cut red tape for businesses across Europe by bringing in a ‘one stop shop’ single set of rules. In future each company will have one single Data Protection Authority (DPA) to report to, generally reflecting where its headquarters are based. But the rules will be the same for everyone across Europe. The Regulation also aims to protect the rights of European citizens to have more control over their personal data.
Who will it affect?
Any business that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens.
When is the Regulation expected to come into force?
There is no definitive answer, although the stated timescale is for ratification by the end of this year and implementation in 2017.
EU ministers meet again on June 24 to begin the process. It may well be 2016 before politicians can agree on a final draft. But the underlying principles have already been agreed - so there really is no reason for businesses to put off preparations any longer.
What will be the most challenging aspects of the Regulation?
With so much focus on how the data of European citizens is stored and handled, businesses will face a serious challenge to get their processes in order.
To begin with they will need the specific and freely-given consent of data subjects to collect data in the first place. Data must be accurate and up to date. The policy of ‘privacy by design’ means data protection should be at the heart of all processes.
Citizens will have the right to view their data and ask for it to be edited. The ‘right to erasure’, which has already struck Google, will add further complications as companies will be expected to find and edit large amounts of data quickly – and will need processes in place for data subjects to make those requests.
The threat of data breaches will no longer be a concern only for data controllers but also for data processors as huge fines are introduced across the board.
The Regulation requires companies with more than 250 employees to appoint a Data Protection Officer. Smaller companies which hold more than 5,000 personal data records will have the same requirement. For many it may be more sensible to outsource this post; but the financial implications of the new Regulation will also be a concern.
What will the consequences be for those who fail to comply?
Huge fines, up to 100m Euros or five per cent of global turnover, for companies that deliberately or negligently breach the Regulation are included in the draft. In future, data breaches are going to be very expensive – and lead to serious loss of reputation. It could be make or break for many UK companies.
There will also be requirements for businesses to report a data breach quickly. That time frame looks likely to be set at 72 hours, which will be a real challenge for businesses that have not set up adequate processes.