A new data protection regulation is soon to be introduced
In May 2016 EU issued a General Data Protection Regulation. What we already know is that when the new regulations enters in May 2018, after a two year transition period, the regulation will bring new operational requirements for companies handling personal data.
Since the definition of “personal data” is so broad, nearly all companies will actually fall under its jurisdiction. As there is only a bit over 300 working days before the data protection regulations is enforced, we have gathered ten points that will help you get started already today.
1. Demonstrate that you follow the regulations
The new regulation requires that the keeper of the personal information register is able to demonstrate that they handle personal data in the required manner.
In practice, this means that you have to keep a register of the data processing operations that are under your responsibility in order to prove that they are in accordance with the regulations.
2. Make sure you have the consent
If the handling of personal data is based on the consent of a person, then you must be able to demonstrate that such consent has been given.
In addition, the requirements for consent will become stricter in the future:
Consent must be given clearly in a written, electronic or spoken statement The consent must show that the persona has voluntary, individualized, conscious and explicit expressed a wish that they accept the use of their personal data. Typically that would be by clicking a check box to give the consent
3. Enforce the right to be forgotten
A new topic that will be introduced with the regulation is the registered person’s right to be forgotten. In practice that means the right to have their data removed from your databases.
This kind of situation can occur when the person withdraw the consent they have already given for you to use their personal data. However, if the use of personal data is on some other legal basis, there is no obligation to remove the data.
If you have an obligation to remove data, you must inform all entities that have received or published the data. This is to ensure that all the links, duplicates and copies related to the material are also removed.
4. Enforce the right to move data
Currently, anyone have the right to receive their own data in a machine-readable format and transfer them to another register keeper.
This right also applies to personal data that a person has supplied to you trough consent or an agreement. This obligation does not, however, obligate you to approve or maintain data processing systems that are technically compatible.
5. Ban of profiling may affect you
Anyone have the right to not become a subject of decision based on automatic data processing that would have a judicial or otherwise significant effect on them. In other words this means that you cannot make important decision that affect a person based on an automatic data process.
An exception to this “profiling ban” would be when the decision is necessary for completing a contract between a person and your company. You need to ensure that your profiling and decision-making models comply with the law and that any necessary changes are made.
A common example of exception to profiling ban is when making credit decisions. Those decisions are often based on automated classification systems and decision recommendations.
6. Inform of breaches in your data security
In the future, you will be obliged to inform the authorities and registered people of any data security breaches. This includes situations where any individual’s rights and freedoms are infringed. In case these situations occur, there are a couple of activities you must do:
You must notify the authorities within 72 hours of the breach. You must inform all affected persons of the breach as soon as the security is likely to put their rights and freedoms at a significant risk
In order to meet these obligations it is important that you draw up internal instructions and procedures to ensure an efficient and correct process.
7. Inform about your data process
Companies across the world are now collecting more personal data than ever before. In order to meet the EU regulation in the future, you must give more information about the data processing that what has been required earlier.
What this means for you is that you have to state the storage time for personal data. Or, if that is not possible, you have to inform about the criteria used to determine the storage time.
In practice, this means, for example, updating the register and data security documents, as well as thinking about how informing the registered people is going to be carried out in practice.
8. The role of the new data protection officer
With the increasing focus on data protection, you might have to appoint a data protection officer to handle personal data. For example, organizations that require a data protection officer are companies where there is wide-ranging, regular and systematic monitoring of people or their core activities are made up of such monitoring. With this in mind we recommend you to evaluate whether the requirement for a data protection officer applies to you or not.
9. The outsourcing of personal data handling will require protective measures from you
If you have outsourced any part of the data process to another entity and they will handle personal data on behalf of you, there are a couple of thing you will be required to do:
You must ensure adequate technical and organizational protective measures will meet the requirements of regulations You must ensure that the rights of registered people are protected
In practice this means that you have to identify the situations where outsourcing is appropriate and ensure that all contracts are drawn up correctly. For example, the storage of data in cloud services is regarded as outsourcing, even though the service provider does not actively process the data.
10. Breaches may incur a hefty fine
It is also significant that in addition to a warning, you may receive a hefty fine for breaching the data protection regulation. The fine can be up to a maximum of EUR 20 million or 4 per cent of your company’s total turnover.