Data has become an increasingly important commodity for those working in the fashion industry. Knowing who your customers are, their spending habits, likes and dislikes is invaluable. But alongside enjoying such an asset comes responsibility. Most will know that such responsibility is legally based on our data protection regime and legislation which has been in place since 1995 (or 1974 if you want to go right back to the beginning). So it is pretty big news when that legislation gets rewritten!

Fashionista was therefore excited to see a leak of the new European proposals for a new data protection Regulation in the FT last week.

Sitting rather heavily on her desk at 116 pages long, Fashionista has been through the document for you and sets out the main highlights below: -

• The rules, if approved, would need to be implemented uniformly across Europe (whereas currently the Directive has led to many national variations).
• In short the new regime looks set to be a lot less principle based and a lot more bureaucratic and prescriptive!
• Data controllers will be subject to increased paperwork and filing obligations including specific requirements to have in place data policies (which have become almost standard industry practice now anyway) as well as internal policies for example in relation to data security, assignment of responsibilities and training and mechanisms to verify the effectiveness of such policies including through external audit if proportionate. Companies with over 250 permanent employees will also need to appoint a data protection officer and privacy impact assessments need to be carried out in respect of new processing activities.
• Data protection authorities are also going to get a lot busier both checking up on this mountain of paperwork and also given that data controllers will be required to obtain prior authorisation for certain processing activities and to consult with them in relation to impact assessments where certain specific risks are identified.
• Some provisions have been included as an obvious response to the rise in social media. One such new provision concerns a “right to be forgotten” – i.e the right to require that data on you be deleted including in any public record (although how providers are able to control and effect that is unclear). The document also clarifies that if you want to use data for a new purpose, or to change terms and conditions, then you need to reobtain consent (no doubt prompted by Facebook who got into hot water with the US Federal Trade Commission and in Europe recently for failing to do that).
• The Regulation seeks to extend the ambit of protection to cover activities carried out outside of the EU but which are directed and people residing in the EU including the offer or products or services – and requires that such entities establish a representative in the EU.
• It provides a definition of a “child” as a person under 18 and states that consent below this age will only be valid if given or authorised by their parent or custodian (which is more onerous than currently in the UK where 16 is a more usual benchmark so that will be a bit of a pain for data users, as well as teenagers!).
• It requires controls be placed on third party processors who help process data on behalf of a data controller and in particular again sets out specific documentation which must be kept.
• All data controllers now have to notify the authorities if there is a data security breach and to notify data subjects where the breach is likely to adversely affect the protection of their personal data or privacy (currently this is only a legal requirement for electronic communications service providers such as ISPs and recommended for others where there is a serious breach).
• The Commission also encourages the establishment of data protection certification seals and marks so we can expect to see a whole industry borne on the back of that!
• A new European Data Protection Board will be established in particular to advise the Commission and ensure consistent application of the Regulation throughout Europe.
• Penalties will increase with minimum sanctions outlines including fines of up to 100,000 – 1,000,000 EUR or 5% of annual worldwide turnover for certain negligent or intentional breaches.

Just to be clear, there’s no need to panic – this isn’t a change in the law which applies now. It isn’t even a final approved draft yet. Fashionista will be sure to keep you posted with all the latest developments…..