by Nadejda Svinarova-Petrova and Nikolay Svinarov
A new legal framework for data protection in the European Union is now official with the publication in the Official Journal of the European Union on May 4, 2016 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC ("Data Protection Regulation").
In addition to this, you need to know more about it.
Thus, the long-awaited change in data protection has finally arrived in a sector where the value of personal data will reach nearly 1 trillion euros per year by 2020 *. This tremendous growth will naturally create new business opportunities and companies must be prepared for the new set of standards in order to seize these opportunities without risk.
To understand the reasons and importance of this new European legal instrument, five main questions need to be answered.
Why is adopting new coverage so important?
With the intense pace of technological progress, the protection of Directive 95/46 / EC quickly became outdated. Since this loophole has become evident, the European institutions are faced with a very difficult task: to integrate technological changes of more than 20 years into a new legal instrument which offers adequate protection in current situations and (hopefully) covers them. future developments.
In addition to this, you will need to know more about it.
The European institutions highlight the advantages of the new protection for both individuals and businesses **:
- Provide a coherent legal framework in all Member States: over 90% of Europeans say they have personally experienced the inconsistency of the mosaic of national laws across the European Union and have confirmed that they want the same protection rights data in each Member State;
- Remove obstacles to cross-border trade and develop projects much more easily;
- Reduce costs and increase profits: the benefits are estimated at 2.3 billion euros per year.
However, as the institutions proudly announce their agreement and draw attention to the undeniable benefits and opportunities of the Data Protection Regulation, the burden on businesses to implement the new requirements is significant.
2. How do the European institutions tackle the issue?
Unlike the old European instrument on data protection (directive), this time the European legislator has chosen a regulation.
In addition to this, you need to know more about it.
The reason is that the 28 different data protection laws within the European Union have considerably complicated the development of projects involving several member countries as well as the day-to-day work of business groups.
In addition to this, you need to know more about it.
Indeed, while a directive must be transposed and applied by national legislation which leaves States a certain flexibility, the regulation becomes law in the very terms in which it is adopted.
In addition to this, you need to know more about it.
Thus, the need for coherent and uniform rules in the EU could only be met by means of a regulation.
In addition to this, you need to know more about it.
3. What will be the impact on businesses?
The first major impact of the Data Protection Regulation is its extra-European application as it will apply to anyone who touches EU citizens' data, regardless of their place of business and where the data is. are processed. This new extended responsibility will require companies to audit their existing contracts with third parties, including subcontractors to whom data protection will also apply (i.e. cloud providers), and to make the required changes.
Above all, increased compliance obligations are provided for in this new legal instrument which will require reconsidering the internal organization of companies.
In addition to this, you will need to know more about it.
Data should be categorized and risk assessments should be categorized. Codes of conduct and internal procedures on data processing should be adopted and revised systematically.
In addition to this, you will need to know more about it.
From now on, the question of personal data will have to be raised at the very stage of the design of new projects (privacy-by-design) in order to apply the appropriate measures from the start.
In addition to this, you will need to know more about it.
The person who will supervise this new internal organization will be the Data Protection Officer, whose appointment becomes mandatory in certain circumstances, in particular for companies that process sensitive data. The regulation clearly states the importance of such a body by implying that data protection officers must be provided with all the necessary resources to properly fulfill their obligations.
4. When will the data protection regulation apply?
The data protection regulation will enter into force on the 20th day following the date of its publication in the Official Journal of the European Union, i.e. May 25, 2016.
In addition to this, you will need to know more about it.
However, it will not apply until May 25, 2018.
In addition to this, you will need to know more about it.
Until then, compliance teams will have to work hard to review the new requirements and put processes in place to comply.
In addition to this, you will need to know more about it.
5. What if companies are not ready for their new data protection obligations?
The consequences for companies unable to meet the new requirements by the announced date could be significant: the data protection regulation provides for increased fines of up to 20 million euros or 4% of global annual turnover of a business, whichever is greater.
In addition to this, you will need to know more about it.
In addition, a class action lawsuit is initiated and breaches could result in significant financial costs and damage to reputation.
In addition to this, you will need to know more about it.
Thus, any non-compliance with the new requirements could have a significant impact for companies and in particular for international groups of companies.
In addition to this, you need to know more about it.
It seems that the two-year period to prepare for the requirements of the Data Protection Regulation will only be sufficient for companies that start working on this issue without delay.
In addition to this, you need to know more about it.
* V. Reding, Data Protection Reform: Restoring Trust and Building the Digital Single Market, 4th Annual European Data Protection Conference / Brussels, September 17, 2013.
** V. Jourova, Data protection reform: what are the advantages for businesses in Europe ?, Factsheet January 2016.