EU Data Protection Compliance

On 25 January 2012, the European Commission outlined a proposal for a revised European Data Protection Regulation, as the current EU Data Protection Directive does not take into consideration important aspects of contemporary civilisation, globalization and technological developments (i.e. social networks and cloud computing).

Discussions around the various revisions have been extensive and on 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties committee and the Permanent Representatives Committee (Coreper) of the Council then approved the agreements with very large majorities.

Once the Regulation and the Directive receive formal adoption from the European Parliament and Council, the official texts will be published in the Official Journal of the European Union in all official languages. The new rules will become applicable two years thereafter.

General Data Protection Regime (GDPR) - The Proposal

The proposal for a General Data Protection Regime by the European Commission demonstrates the most significant development in data protection law since the launch of the EU Data Protection Directive, which – like the principles set out in the original Data Protection Act 1998 – has struggled to remain applicable to mass communication and information sharing.

GDPR becomes law as of 25th May 2018 and because the UK doesn't officially leave EU until a year later, UK companies will still have to comply with the Regime for the period we remain. The changes are far reaching, necessitating a set of data protection compliance for each and every business process that handles personal data. Fines for non-compliance are very hefty and can run up tp millions of euros, whether the breach is deliberate of not. Ignorance of the laws is not acceptable, nor a legal defense that will be tolerated.

To download a PDF of a short summary of changes within the GDPR follow the link.

The legislative process has taken several years to reach its current stage and is likely to take effect in 2016/17. When it is fully implemented, in whatever final form, companies need to be aware that any breach of the Regulation will hold with it a fine of up to 2% of its global turnover.

While the new regulation may seem too far into the future to require attention now, the principles of the Regulation should be considered best practice by all companies who handle personal data.

Singular Regulatory Authorities

The proposed Regulation states that companies should have one regulatory authority that acts across all EU member states. It is recommended that this single-point of authority should be located where the main decisions on, and means of, data handling decisions take place. This will enable your organisation to have a consistent approach to data handling in every member state.

The proposal effectively explains that each EU member state will regulate GDPR within its border. Companies will be required to appoint and payroll one or more Data Protection Officer. However, these Officers will report directly to the country Regulatory Authority NOT to the company itself. These officers will be obligated under severe penalties of the law to report all breachs of GDPR they uncover to the Authority directly or take the legal consequences should they fail to do so, or try to cover up these breaches.

The Three Principles of Compliance

There are guidelines that can be followed in order to make your company compliant with the new Regulation. The Advisory Bureau has published The Three Principles of Compliance - a guidance report that can help organisations who operate within multiple EU States to retain compliance during the development of the new Regulation.

As subject matter experts in data protection, the Security Watchdog's Advisory Bureau can provide best practice guidance for your data  handling procedures, including audits, consultancy and primary documentation development.

To download The Three Principles of Compliance please select the button below