Firstly, many thanks to those of you who joined us at our legal update seminar last week on the Data Protection Regulation. It was great to see so many of you and was interesting to hear views on the new Regulation.
Here are five key points coming out of our presentation and the subsequent discussions.
- Accountability is the new data protection watch word. Organisations are going to be expected to be held accountable for their use of personal data in the future and will be required to have a robust privacy framework instilled within their organisation.
- Those large fines are real. Up to 2% of an organisation’s annual global turnover for certain breaches. For example, failure to appoint an internal data protection officer could land an organisation with this highest level of fine. This will provide many with the real calling card for executive level ‘buy-in’ that has been a past struggle.
- No more hiding for data processors. For the first time data processors will be subject to express data protection obligations themselves in relation to, amongst other requirements, legitimate use of personal data and security obligations. I suspect we can expect to see a dusting down of all of those contracts with standard seventh principle language and a new indemnity-heavy negotiating tack in future.
- Watch out Silicon Valley! European legislators are looking to make a significant “land grab” with the extension of the Regulation beyond organisations established, or using equipment, in Europe. The application of the new rules to any organisation offering goods or services to individuals within Europe, or monitoring their behaviour will make European data protection law a key concern for many international organisations – for example the Silicon Valley “Big Data” suppliers and other non EU-based businesses. Expect to hear much more from the US and elsewhere about what is required to comply with our new privacy laws.
- It’s not all bad news! Binding Corporate Rules are here to stay. Expressly recognised in the Regulation, the process for implementing BCRs across Europe should become more streamlined.
Huge thanks to Simon McDougall from Promontory for his excellent presentation on the commercial realities of the new draft Regulation. Simon drew out some excellent points regarding the disproportionality of the level of fines proposed by the Regulation, particularly for those organisations with the majority of their business outside Europe. He also highlighted the practicalities of organisations staffing their new data protection officer roles.
We will be examining the Regulation in further detail at our upcoming event with Privacy and Data Protection. I hope to see you there.