Agreement on the Data Protection Regulation: get your house in order
On 15 December 2015, after almost four years of negotiations, hundreds of meetings, amendments and compromises, political agreement was reached in the EU on the wording of the Data Protection Regulation.
What happens now?The political agreement on the wording of the Regulation means that the only unresolved issue is the translation and quality assurance of the 23 language versions of the Regulation. When such work has been finalised, which is expected to be within a few weeks or months, the final and formal adoption of the Regulation will take place at the beginning of 2016. The two-year deadline for the commencement of the Regulation will start running from such date. All businesses and authorities etc affected by the Regulation must ensure within the same deadline that they comply with the Regulation requirements.
Old acquaintances, new challenges and increased enforcementFor the past four years the Data Protection Regulation negotiations have attracted great public attention. The Regulation has also received the unofficial title as the EU proposal that has triggered the most intense lobbying ever. However, this attention, and the extensive media publicity, has only given the businesses and authorities a very limited insight into the actual effects of the Regulation on them and the measures that they should take now when the Regulation is close to falling into place.
The most significant new features in the Data Protection Regulation
- more rigorous requirements for documentation of consent
- a strengthening of the data subject's rights
- a right-to-be-forgotten
- risk-based requirements for privacy by design and privacy by default
- risk-based requirements that the business/authority must be able to prove compliance with the rules (accountability)
- a duty to inform the Danish Data Protection Agency and in some situations also the data subjects in case of data security failure (hacker attacks etc)
- providers of social media and other information services are to obtain the consent of parents to process information about children under the age of 16. The Member State may choose to lower the age to 13
- public authorities and certain private businesses are to have data protection officers
- a new "one-stop-shop" for groups of companies set up in several Member States, thus making it easier for them to know which data protection agency is competent to en-force the rules
- fines of up to 4% of global annual sales
Six recommendations for initiatives that your organisation should implement
The Data Protection Regulation has a very wide scope and comprises all private businesses and organisations and all public authorities apart from certain parts of the police and the prosecution service. Irrespective of which sector your organisation belongs to we recommend five specific initiatives that you should implement as soon as possible in order to use the period until the commencement of the Regulation in the best possible way.
1. Make a general legal analysis as to which changes in the Regulation that are most important to you
In order to ensure that you focus on the areas where the changes will have the largest effect on the organisation from the beginning you should make a preliminary legal analysis as to whether the organisation will be directly affected by a specific change due to the Regulation.
As far as private businesses are concerned, it may be the documentation requirements when using consent, whereas for public authorities it may be the requirement that a data protection officer must be appointed.
2. Carry out mapping of the personal data that is processed in your organisation
It may appear to be a simple exercise to determine the personal data that is processed in your organisation. However, it is our experience that precisely this task can often be extremely complex. At the same time this solution is a fundamental condition for your organisation to be able to form a reliable overview as to where there is the greatest need for steps to be taken to ensure that you minimise your risks of data failure, unlawful processing, unnecessary accumulation of information etc and generally makes it possible to comply with the rules in practice.
As a possible added bonus efficient mapping of your data streams may often generate value for the organisation by creating an overview of the potentially value-creating information about your operations, customers, administrative procedures etc that are not exploited.
3. Get an overview of your suppliers
One of the largest risks for any organisation that is processing personal data is when such in-formation is surrendered to external data processors. As a natural continuation of your mapping of the personal data being processed, your organisation should therefore thoroughly examine across the organisation which sub-suppliers you have been contracting with about personal data processing, for instance cloud providers and media agencies. What is necessary to ensure that the relevant agreements comply with the Regulation's more rigorous requirements? When this has been clarified a renegotiation should be commenced and perhaps, compared to the individual supplier's readiness level, the agreement should be terminated in the light of the new requirements and risks implied by the rules of the Regulation.
4. Assess the overall exposure of your business/organisation
The Personal Data Regulation includes many requirements and several are relatively general. However, in practice, the Regulation will only rarely affect two organisations in the same way, not even when they are in the same industry or sector. A number of elements such as the use of computer systems, the spreading of cloud computing, the degree of compliance with the present rules of the Danish Personal Data Act, the type of personal data being processed etc are just some of the aspects that may be vital to how your organisation is affected and not least how many or how few resources you will need to ensure that you will be able to comply with the requirements of the Regulation.
5. Keep the special nature of the Personal Data Regulation in mind
Based on the information identified in points 1-3, your organisation should make a specific assessment as to how best to comply with the legal requirements of the Regulation in practice.
As a rule, this task does not differ from other compliance projects. However, the significant difference is that unlike most other areas of compliance the Personal Data Regulation has a legal structure of its own and the interpretation of the requirements in the long term is to be made in the light of the extensive protection under EU law which each individual benefits from today. As abundantly illustrated by the judgments of the Court of Justice of the European Union in for instance Schrems (the Facebook/Safe Harbor case) and Digital Rights (about the Logging Directive), the area of data protection is subject to very special and sometimes far-reaching legal requirements, the compliance with which makes heavy demands on all relevant participants. In practice this means that assurance that your organisation complies with the Data Protection Regulation will often depend on difficult legal balancing of opposing considerations, for instance when using profiling, when rolling out Big Data projects and when implementing the right to be forgotten.
Accordingly, compliance with Regulation requirements can never just be a "checklist exercise" but must imply an actual legal determination that the contemplated processing of personal data is legal.
6. Provide documentation
Under the Regulation a requirement is only complied with if documentation is provided for such compliance. In this Regulation the so-called principle of accountability definitively moves the liability, not only in respect of compliance with the rules but also in respect of the verification and documentation thereof, from the Danish Data Protection Agency to the individual data controllers. Unlike the Danish Personal Data Act where for instance the notification system to a large extent contributed to some degree of, unintentional, shifting of the responsibility for compliance with the rules towards the Danish Data Protection Agency, the principle of accountability implies that the individual data controllers must be able to guarantee and prove compliance with the rules.
Plesner Privacy Assessment - Your one-stop-shop
As the only advisor in Denmark, we offer our clients to map their organisations' present level of compliance and subsequent assistance with implementation of the measures that we have identified as necessary to ensure complete compliance with personal data law and information security.
Plesner Privacy Assessment:
- Maps the business/authority's data streams both in respect of personal data and in respect of other relating types of information
- Determines on a general level whether there is any value-creating information in the organisation in order to better realise unresolved potentials
- Identifies the organisation's current level of compliance and significant challenges in relation to the handling of personal data, trade secrets etc
Procedures will be concluded by a report that includes a brief and accurate description of the most important challenges faced by the organisation in terms of the personal data legislation as well as our immediate proposals for solutions and initiatives. On the basis of the report the organisation can decide how to proceed in relation to the Personal Data Regulation.
A Plesner Privacy Assessment is prepared at a fixed and competitive fee agreed from the start of the assignment.
Plesner Data Protection Law Certificate
The Data Protection Regulation introduces a requirement that a number of organisations in-cluding public authorities and businesses carrying out extensive processing of particular (sensitive) personal data, appoint a data protection officer. It may be advisable to establish a similar function in other organisations even if they are not directly comprised by the Regula-tion's data protection officer requirement.
In the spring of 2016 Plesner will therefore be offering the Plesner Data Protection Law Cer-tificate with four different tracks targeted at private businesses, the public sector, the financial sector and the pharma/medico industry.
Read more about the Plesner Data Protection Law Certificate (in Danish)
Join the Data Protection Day 2016 and get an overview of the Regulation
In response to a great demand among businesses and authorities for an overview of the Per-sonal Data Regulation and its consequences, the annual Data Protection Day 2016 that is ar-ranged by Plesner on 28 January 2016 in collaboration with the Confederation of Danish Industry and the Danish Council for Digital Security will be dedicated to the Regulation. The themes at the conference will include guidelines on how businesses can best prepare their organisations for the Regulation requirements, presentations on the practical aspects of the special role as data protection officer and the Danish Data Protection Agency's opinion of the Regulation.
Read more about the Data Protection Day 2016