With the anticipated publication of the European General Data Protection Regulation (“Regulation”) in 2016, multi-national companies are beginning to assess how the new Regulation will affect their global data protection and privacy compliance programs. The new Regulation will likely affect both companies based in the EU and outside of the EU, so it is important for all multi-national companies to understand if the Regulation will apply to them, and if so what new requirements and obligations the Regulation will impose.
What is happening?
The Regulation will largely replace the existing country-specific data protection laws in the EU and will apply directly in all Member States in order to achieve a greater harmonization in data privacy law. The final Regulation will come after a long process of negotiation and amendments. After the European Commission (“Commission”) published the first draft of the Regulation in January 2012, the European Parliament (“Parliament”) adopted in March 2014 numerous proposed amendments and in June 2015, the European Council (“Council”) published its proposed amendments. The Parliament’s version and the Council’s version are both based on the Commission’s draft as of January 2012. Recently, the Commission, the Parliament and the Council began negotiating the various proposed amendments to the Regulation (the so-called “trilogue” negotiations). It is anticipated that the European law makers will agree on a final version of the Regulation in early 2016. Companies will then have two years to get their privacy house in order before the Regulation will come into effect, likely in early 2018. Given the anticipated number of changes as a result of the Regulation, companies should begin to work on complying with the Regulation sooner rather than later, particularly if the company has not been subject to European data protection law in the past.
Is my company subject to the Regulation?
The Regulation will not only apply to companies established in the EU, but also to companies that process personal data about EU residents where the processing activities relate to the offering of goods or services to such EU residents, irrespective of whether connected to a payment or not, or to the monitoring of the behavior of EU residents. The term monitoring is not restricted to the work environment, it would also encompass monitoring of online behavior of website users. Data processors (service providers who act under the instructions of the company that “controls” the data) both inside and outside the EU may also be subject to the Regulation. According to the Parliament’s text, data processors will be subject to the Regulation if the data controller on whose behalf they act is subject to the Regulation. In June 2015, the Art. 29 Working Party supported the territorial scope for data processors as proposed by the Parliament. Consequently, all companies that have some connection to the EU need to determine as soon as possible whether or not the Regulation will apply to them.
What are the risks?
Companies subject to the Regulation will face much higher risks than under the existing regimes. The Commission proposed fines of up to 100 million Euros or up to 2.5% of the annual worldwide turnover; the Parliament’s proposal increased the fines to up to 5% of the annual worldwide turnover, whichever is higher. And the annual worldwide turnover will likely be based on the group-wide turnover.
How can we prepare?
Although the specifics of the final version of the Regulation are not yet confirmed, at this stage, it appears that there are a range of activities that companies may wish to consider now to prepare for its anticipated adoption.
- Determine whether the company does business with European customers, employees, or other individuals, or otherwise could become subject to the Regulation.
- Determine whether additional human resources are required to fully comply with the obligations under the Regulation, especially with respect to the appointment of a company data protection officer or a representative in the EU.
- Conduct a closer analysis of how the company currently handles personal data and what the data flows look like, and then create a detailed data inventory. If this information is available, any work on the internal records (see point 4 below) will be a less time-consuming task.
- Complete the necessary filings with the data protection authorities and keep them updated if the company is already subject to European data protection laws. Even though, in principle, the Regulation is supposed to abolish filing requirements, the filings will in any event be replaced by internal record keeping requirements. Any work on filings during the next two years will be helpful. In the course of any filing projects, ideally the additional details that will be required for the internal records under the Regulation should already be gathered.
- Review the company’s information notices and identify any missing details that may be required under the Regulation.
- Create a procedure for the upcoming data privacy impact assessment required under the Regulation.
- Develop a data breach response policy and designate responsible individuals.
- Review your contractual compliance and determine whether additional agreements or changes to existing agreements are required, in particular in light of the new requirements for data processing agreements, such as describing the subject-matter and duration of the data processing, the purposes of the data processing, the types of personal data and categories of data subjects, specific audit clauses as well as obligations to assist the data controller in ensuring compliance with its own data protection obligations.
- Evaluate whether your information technology systems have sufficient auditing and tracking capabilities to produce detailed information, which should be available upon request from data subjects, about the sources, uses, and disclosures of their personal data.
- Prepare to invest more in privacy and information governance. The enhanced penalties for non-compliance with the Regulation will drive businesses to invest more heavily in data protection policies, procedures, and governance so as to achieve greater compliance while minimizing the impact on the business. This will require a delicate and skillful balancing of risks and interests, and ultimately demand more attention from senior managers and decision-makers.