New EU Data Privacy Laws
Some cynics may say this is another attempt to raise revenues by imposing possibly huge fines on big companies, but others will say that data and privacy are becoming a very big issue and that action and enforcement with teeth are absolutely essential.
In English law, we already have the Data protection Act and this, in theory already places a high burden on all businesses as regards data protection with potentially stringent enforcement. The problem lies in enforcement, since the resources needed to police this kind of legislation are simply immense.
One requirement of the proposed new EU rules is that every company with 250 employees or more would need to have a designated Data Protection Officers (DPO).
The DPOs will be given full reign of the company’s data to ensure that any possible occurrence of data risk for both clients and the company itself are brought to an absolute minimum and will monitor all data protection applications utilised within the company.
DPOs will report any findings to the company board but will be considered as independent and won’t take their instruction from the company’s chief executives or board.
One particularly interesting aspect of the proposed new role is that DPO’s would get special employment protection, serving a minimum employment term of two years and only dismissable on the grounds of performance issues.
Also within the revision is the introduction of ‘The right to be forgotten’. This new ruling will mean that companies will be expected to delete data immediately on the request of the user and will also be obligated to report any breaches of data within 24 hours of the breach if feasible or as soon as possible.
One of the most frightening aspects of the revision is the possible penalties. These penalties can be up to £1 million in smaller companies or up to 2% of the annual turnover in larger companies.
When we take a look at global companies such as Facebook who have an average annual turnover of $4.20 billion then a breach in the Data Protection Act could cost them somewhere in the region of $80 million or more.
The last update of the EU Data Privacy Directive took place in 1995 since which time the advancement in technology has resulted in a vast increase in digital communication, much of which involving personal data and transaction details.
Although the review was undertaken with how new media technologies such as Facebook use their data in mind, it is thought that these new rules will have considerable impact on virtually every technology company in the EU. There’s also a good possibility that companies will be seeing far more bureaucracy within their walls once these rules come in to play.