New Data Protection Legislation

A new Data Protection Regulation is making its way through the EU legislative procedure and is expected to be released at the end of this year. A two year transition period will commence upon the Regulation’s release, during which organisations can take the necessary steps towards compliance.

The most recent changes in data protection laws were brought about in 1998, and since that time much has changed. The purpose of the new Regulation is to reflect the present digital economy, including changes in the collection and processing of personal data.

Although the final wording hasn’t yet been released, below is a brief summary of the anticipated changes:

  • The territorial scope of the Regulation is now wider and shall apply to organisations not established in the EU, but where the processing activities are related to the offering of goods or services to EU residents;
  • A wider definition of what is considered ‘personal data’ now includes location data;
  • Consent is now defined and will always have to be explicitly given by the data subject to be valid (so no more ‘opt-out’ options);
  • Privacy/Data Protection policies will now need to include a list of information prescribed by the new Regulation;
  • Organisations can no longer charge for subject access requests;
  • Data subjects have a new right to erasure or the right ‘to be forgotten’;
  • Where a personal data breach occurs, the organisation must notify both the supervisory authority and the data subject of the breach;
  • Sanctions in the event of a breach will increase and can include fines of up to €100,000.

In light of these changes, it’s important to start thinking about how the new Regulation may affect your business.  Here are a few things to consider in preparing for the changes:

  1. How you will go about gaining explicit consent from customers to collect and use their personal data? It will be important that the consent is obtained explicitly, for a specific purpose and is displayed prominently (and not included in a set of T&C’s or privacy policy).
  2. Will you need to implement a new system for dealing with data breaches, including processes for notifying any individuals affected by breaches?
  3. Privacy and compliance with the new Regulation should be considered when designing any new processes for collecting personal data.

Once the final Regulation is released, Travlaw will work with the BHA to prepare a toolkit to help BHA members comply with the legislative changes.

For more information on new data protection legislation please contact Farina Azam:

Print Friendly, PDF & Email