The new General Data Protection Regulation requirements for companies
by Nadezhda Svinarova-Petrova and Nikolay Svinarov
A new legal framework for data protection across the European Union is now official with the publication in the Official Journal of the European Union on 4 May 2016 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“Data Protection Regulation”).
Thus, the long overdue change in data protection has finally arrived in a sector where the value of personal data will grow to nearly 1 trillion Euros annually by 2020*. This considerable growth will naturally create new business opportunities and companies need to be prepared for the new set of standards in order to seize said opportunities without risk.
То understand the reasons and importance of this new European legal instrument, five main questions need to be answered.
Why is the adoption of a new protection so important?
With the intense pace of technology progress the protection in Directive 95/46/EC soon revealed itself out-dated. Ever since this gap became obvious, the European institutions have been dealing with a very difficult task: integrate technology changes of over 20 years in a new legal instrument which provides adequate protection in current situations and (hopefully) covers future developments.
The European institutions put forward the benefits of the new protection both for individuals and companies**:
- Provide a consistent legal framework across Member States: more than 90% of the Europeans claim to have already felt personally the inconsistency of the patchwork of National laws across the European Union and have confirmed that they wanted the same data protection rights in every Member State;
- Remove obstacles to cross-border trade and expand projects a lot easier;
- Reduce costs and increase profits: benefits are estimated to 2.3 billion Euros per year.
However, while institutions proudly announce their agreement and draw the attention to the undeniable advantages and opportunities of the Data Protection Regulation, the burden on companies to implement the new requirements is significant
2. How do the European institutions address the issue?
Unlike the old European instrument on data protection (directive), this time the European legislator has chosen a regulation.
The reason is the 28 different laws on data protection within the European Union complicated considerably the development of projects involving several Member Countries as well as daily work of groups of companies.
In fact, whereas a directive needs to be implemented and enforced by national legislation which leaves states certain flexibility, regulations become law in the very terms in which they are adopted.
Thus, the need for consistent and uniform rules in the EU could only be satisfied by means of a regulation.
3. What will be the impact on business ?
The first major impact of the Data Protection Regulation is its extra European application because it will apply to anyone who touches to data on EU citizens, regardless of its place of business and the place where data is processed. This new expanded responsibility will require companies to conduct an audit of their existing contracts with third parties, including data processors to whom data protection will also apply (i.e. cloud providers), and to proceed to required modifications.
Above all, increased compliance obligations are provided in this new legal instrument which will require to reconsider the internal organisation of companies.
Data should be classified and risk assessments should be made by categories. Codes of conduct and internal procedures on data processing will have to be adopted and reviewed systematically.
From now on, the issue of personal data will have to arise at the very stage of conception of new projects (privacy-by-design) in order to apply appropriate measures from the outset.
The person who will oversee this new internal organisation will be the Data Protection Officer whose appointment becomes compulsory under certain circumstances, in particular for companies which process sensitive data. The Regulation clearly states the importance of such body by implying that data protection officers will have to be provided with all the necessary resources to properly fulfil their obligations
4. When the Data Protection Regulation will apply?
The Data Protection Regulation will enter into force on the 20th day following the date of its publication in the Official Journal of the European Union, i.e., on 25 May 2016.
However, it shall not apply before 25 May 2018.
Until that date, compliance teams will need to work hard to review the new requirements and put into place processes to comply with them.
5. What if companies are not ready for their new data protection obligations?
The consequences for companies unable to meet the new requirements at the announced date could be significant: the Data Protection Regulation provides for increased fines of up to 20Million Euros or 4% of the global annual turnover of a company, whichever is greater.
In addition, a class action is introduced and breaches could lead to significant financial costs and reputational damages.
Thus, any noncompliance with the new requirements could have a significant impact for companies and especially for international groups of companies.
It seems that the two-years period for preparation for the Data Protection Regulation requirements will only be sufficient for companies who start working on this issue without delay.
*V. Reding, Data Protection Reform : restoring trust and builiding the digital single market, 4th annual European Data Protection Conference/Brussels, 17 September 2013.
**V. Jourova, Data Protection Reform: What benefits for businesses in Europe?, Fact Sheet January 2016.