How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?
How to Prepare for the Requirements of the EU’s New General Data Protection Regulation
Eija Warma-Lehtinen
Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .
It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation. Below we have listed the things that every company should take into account before the new regulation comes into effect.
Rights of the Individual Will Improve
Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.
The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.
The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.
Assess the Current State of the Personal Data Processing and Related Risks
In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation
At a minimum, the following questions should be answered:
1. What kind of personal data we process?
2. Is our processing in line with the new Data Protection Regulation?
3. How do we inform the data subjects of the processing of their personal data?
4. What methods, processes or documents should we amend or create because of the new regulation?
Appoint a Data Protection Officer for Your Company
The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.
A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.
Personal Data Breach Notification Now Mandatory
Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.
Review Agreements with External Data Processors
The data Protection Regulation requires that written agreements be made with external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.
Act Now!
The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point.
To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.