Introduction
In January 2012, the European Commission outlined comprehensive reforms of the EU's 1995 data protection rules with a view to strengthening online privacy rights and Europe's digital economy. The two main drivers behind this reform process is firstly down to the fact that technology has developed at an exponential rare since 1995 and, accordingly, data protection rules need to adapt, and secondly because each individual EU Member State implemented the 1995 EU Directive in different ways, leading to divergence in rules from one State to another. The most important question, however, is what will it mean for YOUR business? One aspect that employers should specifically bear in mind is the increased fines that will be imposed on employers if they fail to comply with the new Data Protection rules.
Who will the Regulations apply to?
The Regulations will apply to any Organisation that processes personal data and are either established in the EU, or they offer goods/services to, or monitor the behaviour of, EU residents. A general overriding principle is that data retention must be ‘limited to the minimum necessary’.
Data Protection Policies
Each business will be required to have data protection policies in place and these must be clear, transparent and accessible. These policies should, for example, identify the type of data being stored, how long it will be stored for, where the employee should complain if they are unhappy about the storage of their data etc. If an employer fails to comply with policy requirements then they could face fines up to 1% of their global turnover.
Consent to Retention of Data
Under the new rules, an Organisation would be required to obtain “explicit and informed consent” from an individual where they would be processing both personal data and sensitive personal data about them. Importantly, an Organisation would not be able to argue that they had received ‘passive consent’ to the processing of personal data (an example would be when purchasing something online and requiring the purchaser to ‘untick’ a box in order to be removed from a mailing list; the new rules would mean that a purchaser would have to actively ‘tick’ the box to join such a mailing list).
The Right to be Forgotten
The right to be forgotten is a somewhat controversial element of the Regulations and it would provide that an individual (data subject) would have the right to be forgotten and have their information erased from record where there are no legitimate grounds for its retention. It is envisaged that this will apply mostly to online services and the retention of personal information after a data subject uses such a service.
Access Requests and Administration Fees Notification of Breach
Under current rules, an Organisation based in Ireland can charge an administrative fee of €6.35 where a data subject has made an access request as to information kept about them by a data controller. However, the new rules would require the data controller to provide such for free, unless the request is manifestly excessive. Additionally, the data would have to be provided within a reasonable time frame which would normally be one month.
Notification of Data Protection Breach
If it is discovered that there has been a breach of data protection rules then the data controller will be obliged to inform the Data Protection Commissioner. If it is deemed that the breach would also have an adverse impact on the data subject then the data subject must also be notified. This is very important as an Organisation that fails to comply with these breach notifications would be liable to a fine up to 2% of their global turnover.
The New Role of Data Protection Officer
Any data controller that is either (a) a public body, (b) a business employing more than 250 persons, or (c) a company whose that regularly and systematically monitors data subjects, then such a Data Controller will be required to employ a Data Protection Officer. This role would carry significant responsibility in terms of ensuring Data Protection compliance and providing training to staff. Indeed, a failure to appoint such an officer could lead to fines up to 2% of global turnover.
Data Protection and Transfers Outside the EU
If a data controller will be transferring data outside of the EU then they will be obliged to ensure that the data subject will continue to receive the same level of protection that they would receive within the EU. Conversely, if the data controller is based outside of the EU but will be impacting upon the data rights of persons within the EU then they must nominate an EU data representative. A failure to comply with these requirements could lead to fines up to 2% of global turnover.
Conclusion
The new Data Protection rules are anticipated to come into force by 2015 and they will seek to standardise Data Protection throughout the EU, thereby reducing administrative costs for businesses operating the EU market. It is also anticipated that there will be a positive knock-on effect on employment in the online services industry. As it stands, data controllers in Ireland are subject to much less stringent rules than what is coming into force and the possibility of lofty fines will increase exponentially when the Regulations are adopted.
Employers are strongly encouraged to seek advice from Peninsula Business Services on how the Data Protection Regulations may affect them. Please phone the 24 Hour Advice Service on 01 855 50 50 and one of our experienced advisors will be happy to assist.
