The Changing Data Protection Landscape

March 10, 2017

The changing data protection landscape – what should you be doingThe EU’s data protection landscape is undergoing a complete reshape.  To many organisations, compliance with data protection laws is a necessary evil.  Aspects of it, such as subject access requests, e-security and direct marketing can place heavy time, resource and administrative burdens on organisations.  From May 2018, the General Data Protection Regulation (the “Regulation”) comes into force, replacing the existing Data Protection Directive (95/46/EC).  Consequently, this burden is now only set to increase.

To keep pace with technological change, and to combat the increasing threat posed to cyber security, data protection law within the EU is set to become more comprehensive.  The main objective is to harmonise the legal framework operating within the EU so that businesses will face a more consistent set of obligations when storing personal data from individuals resident in various EU member states.  Any organisation that processes or controls personal data (such as any e-commerce website, airline, social media platform, utility company, retailer, hotel chain or event organiser) may need to alter and upgrade how they process personal data stored in their databases, and re-train their staff on the application of the new rules.

Why is this important?

The Regulation is fundamentally important because it will bring significant change to the existing data protection landscape. Whilst many of the existing ‘core’ concepts will remain unchanged, businesses subject to the Regulation will need to adopt a far more ‘risk-based’ approach to how they process personal data, including assessing degrees of risk at all stages in the processing and having clear audit trails.

National data protection authorities (each a “NDPA”) will be given a range of additional sanctions to impose on non-compliant data controllers.  The intention is for all fines imposed by each NDPA to be consistent, calculated according to a set formula.  Data controllers and processors can now face larger fines (up to the greater of 2% of annual worldwide turnover for the preceding financial year or €10m), for the following violations:

  • Inadequate internal record keeping.
  • Data security and breach notifications.
  • Failure to nominate and train data protection officers.
  • Inadequate contracts with data processors or privacy policies (or inadequate implementation of the same).

Organisations guilty of more serious violations, such as breaches of the data protection principles, breaches of previous undertakings given to the relevant NDPA, failure to obtain a data subject’s consent (where required) or breaches of international data transfers can be fined up to the greater of 4% of annual worldwide turnover for the preceding financial year, or €20m.  First non-intentional breaches may receive a written warning, and subject the data controller to regular periodic data protection audits.  The organisation may also be liable for the NDPA’s bill for such audits.

If you process or store personal data of any kind, and are interested in the subject of this note, the full article can be found here. If you require advice on how the changing rules may affect you or your approaches to storing personal data, please feel free to get in touch with your usual contact at Kerman & Co. who will be happy to explain the implications to you, or direct you to someone who is able to assist.  

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice.  We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

Key Contacts