New EU Data Protection Regulation – changes to companies’ models of operation to be expected

The European Parliament and the Commission came to an agreement on the final version of the content of the new Data Protection Regulation on December 2015. The Committee on Civil Liberties, Justice and Home Affairs of the Parliament confirmed the contents after voting. The new Data Protection Regulation will be now formally adopted and will enter into force after a two-year transition period in 2018. The Regulation will replace the existing Finnish Personal Data Act (523/1999), and will therefore directly impact all companies processing personal data in the course of their operation.
The new Regulation will harmonize the present data protection legislation in different EU Member States and determine common rules for the use of personal data.
The Data Protection Regulation will also set out a number of new obligations to enterprises. Some of the most important reforms are described below:

The new Regulation is largely based on the principle of accountability, which refers to a risk based and proactive approach to planning and preparedness for data protection. Clearly described obligations and pre-prescribed processes for processing of personal data will help the companies to comply with the principle of accountability. Companies’ own assurances that everything is in order is not enough. They must also be able to demonstrate that they meet the set requirements and have taken data protection risks into account in their activities. For many companies, this will mean a series of changes to their models of operation because they must be ready to present concrete evidence on their decisions or plans, where necessary. Checking some boxes once a year is not enough to maintain data protection at a sufficient level.

Data protection officer (DPO)

A data protection officer is a person whose task in the company is to ensure effective data protection and enforce adherence thereto. The DPO also acts as the contact person and adviser in data protection matters. According to the Regulation, companies operating as data controllers or data processors and whose core activities consist of systematic monitoring of data subjects or processing of sensitive personal data must designate a data protection officer. The DPO must have a good understanding of data protection issues. The DPO may be an employee of the company or the company may appoint a data protection expert of its service provider for the role.
 
Personal data breach (data breach notification)

The Data Protection Regulation introduces an obligation to notify personal data breaches. The data controller must, not later than 72 hours after having become aware of it, notify the personal data breach to the authorities.

When the personal data breach is likely to cause great risk to the protection of the personal data or privacy of the data subject, the controller is also obligated to communicate the personal data breach to the data subject without undue delay. The risk assessment to be carried out must be based, for example, on the nature of the breached personal data and the manner in which the breached material has been protected. Communication of a personal data breach to the data subject may not be required if the controller has implemented appropriate technological protection measures, such as appropriate data encryption measures.

Data processors are obligated to notify all personal data breaches also to the data controller immediately.
 
Data protection impact assessment

Data protection impact assessment refers to a risk assessment of the impact of the envisaged processing operations on the protection of personal data. The assessment must be carried out when the processing operations concern, for example, profiling – i.e. systematic and extensive automated evaluation or making conclusions based on personal data – or extensive processing of sensitive personal data (e.g. race, political views, religion, health records). The need for an impact assessment is also affected by a number of other factors such as the extensiveness and purpose of the data processing and the maturity of the technology envisaged to be used in the personal data processing. The Data Protection Authorities will later provide further instructions on cases requiring an impact assessment.
 
Right to be forgotten and right to data portability

The Data Protection Regulation will provide the data subjects, for example, with the right to require that their personal data be erased, provided that the processing of the data is no longer necessary and that there is no other legal ground for the processing of the data.

In addition, the data subjects are entitled to obtain from the controller a copy of their personal data in an electronic and structured format which is commonly used for the purpose of, for example, transmitting those data into another system or service.  

Implementing these and other rights of the data subjects specified in the Regulation means that several companies will need to carry out a number of changes to their operating models and to their data systems. It is unlikely that the existing number of customer service staff will be able to handle all the new service requests expected.

Processing of personal data of a child (age of consent)

Until now, several online services and social media sites have followed the practice that children of the age of 13 years or older may register as a service user without the consent of their parent. Children below this age are either prevented from using the service, or the use requires an authorization by the custodian. The new Data Protection Regulation will change the situation so that in the future, EU Member States may independently determine the age limit for the consent of the custodian for the registration of personal data. The age limit may be between the ages of 13 and 16 years. Setting the age limit higher than the age of 13 years is likely to result in a great number of disappointed teenagers who have previously used certain social media services but are now blocked from the services until they obtain an authorization from their custodian.

Administrative sanctions

The Data Protection Regulation will empower the authorities to impose fines to companies infringing the provisions of the Regulation, for example, by not assigning a data protection officer. The fine may be up to 4% of the company’s worldwide turnover.

The threat of being fined emphasizes the significance of accountability, discussed at the beginning of this blogpost. It could be imagined that a data breach, at the very least, will get authorities interested in investigating the arrangements of the breaching company regarding personal data processing, risk assessment, level of data protection, and persons that should have been responsible for ensuring appropriate data protection.

The new Data Protection Regulation is expected to be formally approved now. The approval is followed by a two-year transition period, during which companies must amend their activities to comply with the requirements of the Regulation.
Our recommendation for companies is to start preparing for the new data protection provisions already today.