EU DATA PROTECTION REFORM AND THE NEED FOR A COMPLIANCE STRATEGY

The process of EU data protection legislative reform seems to have been going on for so long that businesses could be forgiven for wondering if it would remain mired in the European political process indefinitely. But with the trilogue negotiation between the European Commission, the European Parliament and the Council of the EU finally underway, there is now a real possibility that the regulation will be formally adopted in the early part of next year.

Once this happens, there will be a two year transition period before it becomes enforceable by data protection authorities (DPAs). This may still seem a long way away, but for many businesses the changes introduced by the regulation will mean changing their entire approach to data protection. Successful implementation will require identifying and educating stakeholders from across the business. Given the complexity of data flows in most modern businesses, and the scope of the regulatory changes, this will be a significant undertaking for many, but it is one which they need to take seriously, as the regulation will introduce fines of up to 2-5 percent of global turnover.

The new buzzwords: accountability and privacy by design

One of the key changes in the regulation is the need for formal processes. Currently, many businesses adopt a reactive, ad hoc approach to privacy, addressing it on a project by project basis. All too frequently privacy compliance is considered at the end of a project lifecycle, if at all, when the legal or compliance department is asked to provide sign-off. Requests for changes at this stage will generally encounter resistance, as they are more difficult and expensive to introduce, and may put project deadlines at risk.

To counter this problem, privacy regulators have been promoting both accountability and privacy by design for some time, but the concepts are still not well-known or understood outside the privacy community. The Article 29 Working Party (an advisory group comprised of representatives of all the EU data protection authorities) has described the concept of accountability as a way of “showing how responsibility is exercised and making this verifiable”.

Oct-Dec 2015 Issue

Hogan Lovells