EU Data Protection Reform: Initial Reaction to Published Proposals

We reported a while back on leaked drafts of the new European data protection Regulation. Yesterday, the official version was published and Fashionista’s colleagues at Olswang spent a busy day analysing the practical implications of the proposal. Their more detailed analysis for in house counsel can be found here.

The highlights Fashionista says you must know are:

- The new rules could, if adopted, come into force as early as 2015 and there are a lot of changes all businesses processing personal data will need to take before then to ensure compliance.

- The Regulation will mean a harmonised set of laws across Europe which may will make life easier for you if you have a presence in different countries in the EU. But there’s not much other good news in the proposals unfortunately.

- If you are currently based outside the EU but do target European customers, then you won’t escape the rules anymore and will need to appoint a data protection representative in one of the EU jurisdictions where such customers are located to fulfil the compliance obligations.

- The rules will mean a lot more admin for you including privacy impact assessments, maintainance of a paper trail of all processing operations, data security evaulation and measures, appointment of a data protection officer etc.

- All companies will have to make a notification in the event of a security breach and will need to have a team and processes in place to prevent breaches and handle the process correctly and promptly if issues arise.

- If you are working on data projects or systems at the moment then you need to take a pause to re-think how they will need to change to reflect the new proposals.

In short, with new fines available of up to 2% of global turnover for breaches possible, and at the same time more obligations to perform, data protection compliance will no longer be something to give just lip-service to and must become a key consideration.