EU Data Protection Regulation: Prepare now, comply later

It is now three years since the European Commission first published its plans to overhaul the existing data protection framework in the EU. The proposals were made in response to massive advances in technology, and data being used in ways which had not been envisaged when the previous EU Data Protection Directive was introduced in 1995.

All organisations that process personal data will be affected by the new legislation. The current proposals introduce significantly higher fines if breaches occur. They also impose new legal obligations, such as a requirement to carry out data protection impact assessments and ensure ‘privacy by design’ for new projects. Individuals’ rights are also expanded, which will require organisations to introduce new policies, procedures and training to ensure that such rights are respected.

To implement the new requirements when they come into force, organisations will need to carry out a significant overhaul of their existing policies and procedures. In some cases, businesses will need to make costly changes to IT systems. Businesses that process a large volume of personal data will be most significantly affected, for example, larger retailers and financial services organisations. However, all organisations will process personal data to some extent, even if only in relation to their own employees, and therefore the new legislation will have far-reaching effects for businesses in all sectors.

The reform package proposed that a new Data Protection Regulation should be introduced across the EU to replace the fragmented national data protection laws that currently exist across the 28 EU member states. The intention is for the regulation to have direct effect in all member states, which would mean that, in the UK, the Data Protection Act 1998 would be superseded by the regulation without the requirement for further legislation. Some member states, in particular the UK, are unhappy with this proposed structure and contend that the proposed changes should be effected through a directive, rather than by way of the regulation. This would allow them to transpose the requirements of the directive into their own national laws.

Moving forward

As a result of strong opposition and lobbying on several of the proposals, progress towards implementation has been slow. In fact, the draft regulation is already the most amended piece of European legislation ever and further changes are in the pipeline. Substantial progress was made by the European Parliament in March 2014 when it formally adopted its own version of the regulation and made a statement that the reform was ‘necessary’ and ‘irreversible’. Since then, the process has been moved on to the European Council.

In late December 2014, the European Council released an amended version of the regulation drawn up by the Working Group on Information Exchange and Data Protection (DAPIX). It is apparent from the document that a number of member states still have various reservations about the draft text, and further negotiations will be required in order to reconcile this version with that of the European Parliament. So, although progress is being made, further technical work will be required by the European Council over the coming months.

Although the European Council last year agreed a backstop date of 2015 for approval of the regulation, the European Parliament’s lead rapporteur on data protection reforms, German MEP Jan Philipp Albrecht, warned that concerns raised by the UK, Germany and France have made it doubtful that the regulation will indeed be finalised and adopted before the end of 2015. In January 2015, a discussion panel met in Brussels to debate the progress of the regulation and the majority predicted that spring 2016 was a more likely date for finalising the text. Once the regulation is finalised, it will come into force two years after approval.

Key changes

Although it is still not possible to say with any certainty what the specific changes will be, the following are the main changes envisaged by the draft regulation:

• Fines: These will be substantially increased. The current proposal is for maximum fines of €100m or 5 per cent of annual worldwide turnover, whichever is the greater. However, this area has yet to be finalised as it appears the European Council wishes to reduce this 5 per cent figure to a maximum financial penalty of 2 per cent.
• Dawn raids: Presently, the Information Commissioner in the UK has no right to carry out audits on private sector organisations without consent. Under the proposed regulation, regulators will have significantly expanded audit rights and will be able to turn up unannounced to check data protection compliance, having obtained a warrant to do so.
• Mandatory breach notification: Organisations that suffer a data breach will have a legal obligation to notify the regulator without undue delay. At the moment, the draft regulation does not include any materiality threshold for breach notifications, so even the most minor breaches will have to be notified. But this is a controversial point and it is thought that a materiality test is likely to be introduced. If an individual’s privacy will be affected by the breach, they must also be notified.
• Requirement to appoint an expert data protection officer (DPO): The current proposals require all organisations processing personal data relating to more than 5,000 individuals in a 12-month period to appoint a DPO. The DPO must be an expert in data protection laws and practise and fulfil the duties specified in the regulation. Since the European Council’s views on this requirement differ from those of the European Parliament, further changes are likely.
• New rights for individuals: Under the current proposal, individuals are given a number of new rights, including a right to be informed of profiling in a ‘highly visible manner’, a right to object to profiling, a right to have their data erased in specified circumstances and a right to obtain copies of their data in a commonly used electronic format.
• More rigorous consent requirements: Individuals will need to give consent that is ‘freely given, specific, informed and explicit’. Only clear affirmative action such as ticking a box or signing a data protection consent statement will do. Silence or an ‘opt out’ option will not suffice.
• Much-expanded transparency requirements: The requirement to provide individuals with information about how their data is used is significantly expanded.
• Data protection impact assessment: There will be a mandatory requirement to undertake a risk assessment whenever a new project that involves personal data is implemented.
• Territorial scope: The regulation covers non-EU businesses that provide services to EU individuals and provides for overseas branch offices of UK companies to be regulated by the Information Commissioner’s Office (ICO).

Changes to internal procedures

Although organisations will have two years to prepare, the changes proposed are significant and could well be very complicated to implement in practice.

• Data deletion: The additional right of an individual to have all of their data deleted in certain circumstances will require organisations to ensure that they can identify where all of their data is held and to categorise whether, and when, it needs to be deleted. They will also need to ensure that their IT systems are capable of deleting the data.
• Profiling: The concept of profiling is a new one and the latest draft from the council indicates that the effects of this provision will be onerous for data controllers. A subject may object to profiling if it is not necessary for the performance of a contract, is not authorised by national law, does not safeguard the subject’s legitimate interests and is not based upon explicit consent. All procedures involving automated processing will therefore have to be scrutinised carefully and individuals will need to be informed of their rights to object.
• Privacy notices: Currently, organisations must issue privacy notices which inform individuals that they are acting as a data controller. They must set out the purposes for which they intend to process the individual’s personal data and any proposed disclosures to third parties. These requirements are significantly expanded by the draft regulation. Individuals will have to be informed of retention periods, their individual rights, their ability to complain to the ICO and the ‘legitimate grounds’ under which data processing is permitted. Offering ‘opt out’ boxes or assuming consent will no longer be acceptable. Organisations will therefore need to analyse all data processing to determine the conditions they are relying upon to legitimise the processing. Terms of business, privacy policies on websites and data collection notices will all need to be revised to incorporate the additional information. If consent is to be relied upon, a mechanism which enables a positive indication of consent must be used.
• Data protection assessments: Although organisations will no longer be required to provide annual notification to the ICO of their processing activities, they will be required to carry out a data protection assessment (DPIA) before proceeding with ‘risky’ personal data processing. Under the proposals of the European Parliament, an assessment would need to be carried out if an organisation wishes to undertake processing, which is likely to present specific risks. The European Council have proposed less prescriptive rules on DPIAs and have said that instead organisations should only be required to conduct an assessment where processing is likely to result in a high risk for the rights and freedoms of individuals. Whichever approach is followed, an assessment will need to set out a description of the intended processing, evaluating the risks and measures envisaged to address them. Security measures and mechanisms that an organisation intends to put in place to protect data privacy will also need to be assessed. Organisations will need to build DPIA methodologies into their project management procedures and appoint a team to carry out the DPIA.
• Breaches: The introduction of a mandatory requirement to notify the ICO of any data security breaches, and individuals if their privacy is affected, will obviously have an impact on internal procedures. Staff will need to be trained to recognise breaches and breach management procedures will need to be put in place to handle these requirements going forward. Training will also be required and policies put in place so that staff know what to do if the ICO turns up unannounced to check an organisation’s data protection compliance.
• Appointment of a DPO: Another key change will be the requirement to appoint a DPO. Small businesses will be watching with interest to see whether the criteria determining which businesses should be required to appoint a DPO will change under the current discussions, since this could be an expensive requirement for them. DPOs would need to be appointed for a period of at least two years. Organisations will need to consider whether they will need to recruit externally or whether someone in-house has sufficient expert knowledge of data protection law and practices to fulfil the role. In either case, the DPO would have to be in a position to perform their duties and tasks independently.

Although several member states still have various reservations about the draft Data Protection Regulation and no date has been fixed for implementation, progress is being made slowly and the changes envisaged are now inevitable. Organisations should therefore familarise themselves with the proposed changes now, so that they can identify the actions that will need to be taken over the next couple of years. SJ

Alison Deighton, pictured, is a commercial partner and Emily Holdsworth a commercial associate at TLT