18 May 2016
The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age. To give the same data protection rights across the EU, regardless of where their data is processed.
The Regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses. The Directive for the police and criminal justice sector protects citizens' fundamental right to data protection whenever personal data is used by law enforcement authorities. It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.
On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties committee and the Permanent Representatives Committee of the Council then approved the agreements. The agreements were also welcomed by the European Council of 17-18 December as a major step forward in the implementation of the Digital Single Market Strategy.
On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016 the Regulation and the Directive were adopted by the European Parliament.
On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
10 Facts about the new EU data protection regulation
1. Regulation v Directive
The previous EU data protection directive was a patchwork of different laws across Europe. The new regulation will be implemented across 28 countries, and became law, without change, when it was passed.
2. Data processors will be held responsible for data protection
Any company, organisation or individual that touches, has access to, or processes any data “ by which an individual can be identified” will now responsible in the case of a data breach (This includes Third Parties such as Cloud providers) wherever they are based.
3. Global aspect of the regulation
The new regulation affects every global organisation that may have data on EU citizens and residents.
4. Compensation claims
The regulation will allow for damages claims in the event of data loss as a result of unlawful processing, including collective redress, the equivalent of the US “Class Action”. Senior Management will need to consider what kind of impact an action such as this could have on their business.
5. Transfer of EU citizens data outside the EU
The regulation has tightened the rules on transfer of data outside of the EU. The previous Directive allowed a data processor to decide if a third-party provider is safe. When negotiating with Cloud provider for example, it is essential to check if they are allowed to move data between countries as part of the contract, or whether they have to inform the individual they are dealing with of such a move, or can only so with express permission from them.
6. Harmonised request rights
Previously each country defined how data controllers respond to requests from individuals regarding data kept about them, the UK for example allowed 40 days. Under the regulation all countries must comply with the same rule, 20 days.
7. New erasure rights “Right to be Forgotten”
Individuals can require the erasure of their personal data without undue delay by the data controller in certain situations. a good example is where they withdraw consent and no other legal ground for processing applies. Alongside this obligation is one to take reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or copies of, that data.
8. Informing individuals of their rights
Under the new regulations, controllers must inform and remind individuals of their rights, as well as documenting the fact they have been reminded of their rights. Also individuals must now opt-in, to have their data used elsewhere, not have the option to opt-out as previously.
9. Sanctions and incident reporting
Sanctions have been made must tougher under the new regulation. Fines may be as high as 20m Euros, or 4% of global revenue, whichever is the higher. (Previously in the UK it was a maximum of £500,000). Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness.
10. Data Protection Officers
In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability programme. The compromise threshold is (i) processing is carried out by a public authority, (ii) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, or (iii) the core activities consist of processing on a large scale of special categories of data. The DPO will need sufficient expert knowledge. This will depend on the processing activities for which the officer will be responsible. The DPO may be employed or under a service contract. a group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities.
What is considered to be personal information?
Personal information is anything which relates to a person, which can identify them.
Examples of personal information include:
• Bank details
There are a number of principles, which if followed should prevent organisations which hold personal data from breaking the law.
They are that personal information should be:
• Processed in a fair and legal manner
• Used for limited purposes
• Use should be adequate, relevant and not excessive
• Up-to-date and accurate
• Only kept for the necessary time
• Processed in line with individual's rights
• Be secure
• Only transferred abroad if adequate protection is ensured
Sensitive personal data
There is a subset of personal data, which is known as sensitive personal information and this must only be disclosed if absolutely necessary.
This data includes:
• Ethnic origin
• Political stance
• Religious beliefs
• Membership of a trade union
• Health conditions
• Sexual orientation
• Alleged or committed offences
• Proceedings related to offences
The individual's rights
It is up to the organisation to make sure that the individual whose personal information is obtained knows what their rights are.
They have the right to know that their information is being stored, also to see that data if they so wish and also to correct it should there be any factual inaccuracies.
A common issue is businesses using personal information for marketing purposes and the individual can ask for this to be stopped at any time and this must be adhered to.
Any employee who is granted permission to work with personal information must be fully trained. They must know exactly what their role is and how to carry it out and it is up to the organisation to ensure this is the case.
Link to Regulation