The new EU Data Protection regulation: the challenge of “accountability”May 28, 2013
By: Peter Katko, Partner, Ernst & Young Germany, and Fabrice Naftalski, Partner, Ernst & Young France
After a long gestation period, a new EU Data Protection Regulation will probably see the light before the end of this year. The impact of this new regulation on companies is mixed.
On the one hand, it brings very welcome harmonization, updating and simplification and will help to reduce red tape. On the other hand, the emphasis on “accountability” in the new regulation means that companies must urgently get their house in order.
Now is the time to adopt organizational best practices in data protection and reduce compliance risks. The steep increase of penalties for infringement of the new rules – up to 2% of annual worldwide turnover – is an extra incentive to take timely action.
Maximum fine: 2% of annual worldwide turnover
At a time when processing and analysis of Big Data – including large amounts of personal data – is seen as the fuel of the next economic boom, the economic relevance of this upcoming legislation is highly important. The business implications for companies are profound.
Most large companies deal with huge amounts of personal data from (prospective) customers, employees and suppliers. Over the last few years, online social media have given a whole new dimension to data protection.
Currently, the EU-wide legislation on data protection consists mainly of a directive from the year 1995, a year when the internet revolution was only in its infancy and nobody had heard of “online social networks.”
This directive coexists with a patchwork of national rules in the EU’s 27 Member States, as each Member State freely implemented the directive through local laws.
From patchwork to welcome harmonization
As a result, at the moment there is no real alignment of national rules regarding data protection. In Spain and France, enforcement for the private sector is in the hands of 1 nationwide agency; in Germany, there are 17 such agencies, 1 in each “Land” plus a federal regulator for telecommunication and postal services.
In Germany and France, infringement of data protection laws qualifies as a criminal offense and the law requires a data protection officer in certain companies (compulsory in Germany, optional in France); not so in Spain. Germany and Spain do not have summary procedures in data protection cases; France does.
Obviously, this is not an ideal situation for large multinational companies active throughout the EU. The new regulation will bring much needed updating, harmonization and simplification.
A single set of rules will be valid across the EU. Cumbersome formalities, such as general notification requirements for companies, will be abolished.
There will be a “one-stop-shop” for companies regarding data protection: the data protection authority in the Member State where the company’s control function has its main establishment. Enforcement will also be streamlined: there will be a set of common proportionate and dissuasive sanctions applicable throughout the EU.
The new name of the game: accountability
At the same time, the new regulation also increases the responsibility and accountability of companies regarding the way they process and protect data. Accountability is at the center of the new regulation.
In particular, article 22 clearly obliges a company to adopt policies and implement measures to ensure that data are protected in accordance with the regulation. The same article also demands companies to have their data protection policies and processes independently checked by internal or external auditors.
Failure to comply with article 22 can lead to serious sanctions, even if no actual breach of data privacy takes place. In other words, companies will be held accountable for adopting best practice in data protection policies.
The reach of the new regulation is profound. Accountability will not only apply to data controllers. Data processors, too, will be under the obligation to implement appropriate measures to ensure security of data processing.
Each controller and processor has to maintain documentation of all processing operations under their supervision; prior to high-risk data processing operations, controllers and processors have the obligation to carry out a data protection impact assessment.
Notifying security breaches within 24 hours
Every company with more than 250 employees that processes data, and any company whose core activity requires regular monitoring of data subjects, must appoint a data protection officer. Serious data breaches should be notified to the national supervisory authority as soon as possible – if feasible, within 24 hours. The new EU rules will apply even if personal data is processed outside the EU by companies active in the EU itself.
Data processing companies must also ensure they honor new individual rights protected by the regulation, such as “the right to be forgotten,” i.e., the deletion of all personal information on, for example, a social media website if the person in case so requests.
In a nutshell, the upcoming regulation explicitly imposes a fair amount of organizational duties on companies. At any time, companies can be asked by the relevant authority to demonstrate that their data processing systems and controls are in order.
Companies are therefore well advised to audit their current systems and controls and, if necessary, establish a plan to bring them up to the standards required by the new regulation, preferably by adopting best practices.
Tools to ensure compliance with the new regulation can include, for example, Binding Corporate Rules (BCRs) and Privacy Impact Assessments (PIAs). Obviously, regular audits of the efficiency of the systems and controls – as requested by the new regulation – are essential.
Best practice, the best line of defense
Robust systems and controls are not only important to comply with the regulation and to minimize the risks of any breach of data privacy. They will also help a company to defend itself if a breach were to occur.
The risk of such a breach can be minimized, but not fully eliminated. If a company can show that a breach occurred despite its adoption of best practices in all relevant areas of data storing and processing, the administrative and legal authorities will likely be more benevolent in their judgments.
In summary, companies should deal with the demands of the upcoming EU Data Protection Regulation swiftly and proactively. What the regulation demands is basically best practice in data storage and processing.
By implementing reliable and safe procedures, companies will minimize risks and obtain a competitive advantage.
Questions or comments? Contact T Magazine and Ernst & Young