At Ius Laboris, we understand that data privacy is an evolving area of law and that it can be hard for businesses to keep pace. This is why our data privacy lawyers act as your partners in managing privacy and data protection for your workforce. Our data privacy experts work to ensure compliance with data protection law. They offer advice on all forms of data processing, including collection, storage, use, retention, rectification and deletio.
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data) is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. The General Data Protection Regulation, adopted in April 2016, will supersede the Data Protection Directive and will be enforceable starting on 25 May 2018.
The first EU Data Protection Directive was written in 1995 but a new, stronger regulation is being developed to take into account vast technology changes of the last 20 years. The plan is to finalise the regulation this year and implement it in 2017.
As with any regulation, the current draft could change. However, only minor changes were made between the last two drafts, despite lobbying attempts, and the latest version is possibly as close to final as we’ll see. Below are 10 of the most important elements European organisations should take away from the current draft, to help them prepare for 2017.
This is a regulation, not a directive
The terms regulation and directive are often used interchangeably, but they are very different. A directive is implemented and enforced by individual countries but regulations become law without change when they are passed. The current EU data protection directive resembles a patchwork of slightly different laws across Europe but the new regulation will be implemented in all 28 countries.
Data processors will be held responsible for data protection
Under the directive, any data “by which an individual can be identified” was the sole responsibility of the data controller, ie the owner of this data. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. Put simply, anyone who touches or has access to your data, wherever they are based, is responsible in the case of a data breach. The ramifications of this are pretty broad. Third parties will need to be extra vigilant when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.
With the new regulations in mind, organisations should think about reviewing their third party contracts now. In the case of cloud providers seriously consider having, as part of your contract, the ability to carefully review their procedures and even facilities to make sure they are up to scratch. Many cloud service providers, especially those based outside the EU, may not believe that the regulations apply to them, it is clear that they will.
The GDPR (General Data Protection Regulation) aims to give EU data subjects back the control of their personal data. Most organizations are concerned about the potential significant financial penalties the Regulation can bring. Some forward-thinking companies, however, are also planning how to turn GDPR into an opportunity in 2017.
The countdown to the GDPR has begun. Where are you already meeting the requirements and where do you still need to push forward the transition? Take a short test to receive valuable information on this matter. It only takes around two minutes to answer a few questions on the various areas, following which you will receive a chart giving you an overview of the areas in which you are currently on the way to GDPR.