Close

We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our cookie policy for more information on cookies and how to manage them.

Risk news

Complying with the new EU Data Protection Regulation

As an organisation it is a big responsibility to be in possession of people's personal data and the way that it is used and handled is enshrined in law.

The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age. To give the same data protection rights across the EU, regardless of where their data is processed.

The Regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses. The Directive for the police and criminal justice sector protects citizens' fundamental right to data protection whenever personal data is used by law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.

On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties committee and the Permanent Representatives Committee of the Council then approved the agreements. The agreements were also welcomed by the European Council of 17-18 December as a major step forward in the implementation of the Digital Single Market Strategy.

On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016 the Regulation and the Directive were adopted by the European Parliament.

On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

 10 Facts about the new EU data protection regulation

1.       Regulation v Directive

The previous EU data protection directive was a patchwork of different laws across Europe. The new regulation will be implemented across 28 countries, and became law, without change, when it was passed.

2.       Data processors will be held responsible for data protection

Any company, organisation or individual that touches, has access to, or processes any data “ by which an individual can be identified” will now responsible in the case of a data breach (This includes Third Parties such as Cloud providers) wherever they are based.

3.       Global aspect of the regulation

The new regulation affects every global organisation that may have data on EU citizens and residents.

4.       Compensation claims

The regulation will allow for damages claims in the event of data loss as a result of unlawful processing, including collective redress, the equivalent of the US “Class Action”. Senior Management will need to consider what kind of impact an action such as this could have on their business.

5.       Transfer of EU citizens data outside the EU

The regulation has tightened the rules on transfer of data outside of the EU. The previous Directive allowed a data processor to decide if a third-party provider is safe. When negotiating with Cloud provider for example, it is essential to check if they are allowed to move data between countries as part of the contract, or whether they have to inform the individual they are dealing with of such a move, or can only so with express permission from them.

6.       Harmonised request rights

Previously each country defined how data controllers respond to requests from individuals regarding data kept about them, the UK for example allowed 40 days. Under the regulation all countries must comply with the same rule, 20 days.

7.       New erasure rights “Right to be Forgotten”

Individuals can require the erasure of their personal data without undue delay by the data controller in certain situations. a good example is where they withdraw consent and no other legal ground for processing applies. Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.

8.       Informing individuals of their rights

Under the new regulations, controllers must inform and remind individuals of their rights, as well as documenting the fact they have been reminded of their rights. Also individuals must now opt-in, to have their data used elsewhere, not have the option to opt-out as previously.

9.       Sanctions and incident reporting

Sanctions have been made must tougher under the new regulation. Fines may be as high as 20m Euros, or 4% of global revenue, whichever is the higher. (Previously in the UK it was a maximum of £500,000). Data controllers must notify most data breaches to the DPA.  This must be done without undue delay and, where feasible, within 72 hours of awareness.

10.   Data Protection Officers

In certain circumstances data controllers and processors must  designate a Data Protection Officer (the DPO) as part of their accountability programme. The compromise threshold is  (i) processing is carried out by a public authority, (ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular  and systematic monitoring of data subjects on a large  scale, or (iii) the core activities consist of processing on a  large scale of special categories of data. The DPO will need sufficient expert knowledge. This will depend on the processing activities for which the officer will be responsible. The DPO may be employed or under a service contract. a group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities.

What is considered to be personal information?

Personal information is anything which relates to a person, which can identify them.

Examples of personal information include:
•         Names
•         Addresses
•         Bank details

There are a number of principles, which if followed should prevent organisations which hold personal data from breaking the law.

They are that personal information should be:
•         Processed in a fair and legal manner
•         Used for limited purposes
•         Use should be adequate, relevant and not excessive
•         Up-to-date and accurate
•         Only kept for the necessary time
•         Processed in line with individual's rights
•         Be secure
•         Only transferred abroad if adequate protection is ensured

Sensitive personal data
There is a subset of personal data, which is known as sensitive personal information and this must only be disclosed if absolutely necessary.

This data includes:

•         Ethnic origin
•         Political stance
•         Religious beliefs
•         Membership of a trade union
•         Health conditions
•         Sexual orientation
•         Alleged or committed offences
•         Proceedings related to offences

The individual's rights
It is up to the organisation to make sure that the individual whose personal information is obtained knows what their rights are.
They have the right to know that their information is being stored, also to see that data if they so wish and also to correct it should there be any factual inaccuracies.
A common issue is businesses using personal information for marketing purposes and the individual can ask for this to be stopped at any time and this must be adhered to.

Instructing staff
Any employee who is granted permission to work with personal information must be fully trained. They must know exactly what their role is and how to carry it out and it is up to the organisation to ensure this is the case.

Link to Regulation

 

 

Contact us

Call our customer service team on:

0345 366 6666

Email - riskadvice@aviva.com

Featured article

Summer Risk Management Bulletin 2018

Welcome to our Summer Risk Management Bulletin. 

It’s been designed to help you increase your risk management awareness to protect you and your business. 

Click here to view the ...

Read more about Summer Risk Management Bulletin 2018