“Today, 25 January 2012, the European Commission unveiled its proposals for far reaching changes to EU privacy legislation.
We foresee the Regulation being in force by 2015. Every aspect of an organisation’s compliance obligations will increase – and there will be fines of up to 2% of global turnover for breach. We highlight the top three immediate action points to consider. We also provide seven further action points to address in the months ahead.
Three immediate impacts
- Non EU businesses need to select an EU Member State Scenario: a large Asian company holds personal data on Asian servers about its many EU customers. It has purposely not established a presence in the EU but will now need to decide which of the EU Member States in which it has customers to appoint its DP representative. It will need to balance the attractiveness of the enforcement approach in that state with other factors.
- Systems design Scenario: the architecture for a new IT system is under discussion between the CTO and CEO of a large EU business. To future-proof the system, the CTO must take into account the Regulation’s changes such as allowing consumer data to be permanently deleted (R2BF) and should ensure that all processing operations involving personal data are adequately documented.
- Outsourcing agreements Scenario: a five-year outsourcing contract involving data processing is under negotiation. The deal will be signed this year, well before the impact day of the Regulation, which will be some time in 2015. Because the processing will continue after impact day, the parties today need to anticipate in the agreement that their data protection obligations will change.
PS – thanks for the feedback from some of my blog readers who travelled from Paddington station today. You know who you are!