In our blog post of 16 January 2015 HireRight reported on the progress of the EU data privacy reforms. Excitingly, the Council of the European Union (“Council”) met their self-declared deadline of agreeing a general approach on the General Data Protection Regulation (“Regulation”) and announced on 15 June 2015 that “we have moved a great step closer to modernised and harmonised data protection framework for the European Union.”
The “general approach” means that the Council has now reached a political agreement on which it can now begin and base negotiations with the European Parliament and the Commission, with a view to reaching an overall agreement on the Regulation. The first “trilogue” with Parliament was planned for 24 June 2015, with the aim being to produce a final negotiated text that all three institutions agree on.
What does this mean in terms of time frame for implementation? The incoming Luxembourg Presidency has stated via its Justice Minister that “…we have the firm intention to conclude by the end of this year”. But before we get too excited, we should remember that once the Regulation is adopted there will be a two year transition period before it becomes enforceable by data protection authorities – meaning that the Regulation “in force” date will be likely some time in 2017 at the earliest.
So at this stage can any business prepare for the Regulation? Well, we know that certain items are very likely to make it into the final Regulation, such as the application of the Regulation to any worldwide business servicing EU citizens; the extension of liability for data processors; the “one stop shop”; and greater fines. However there are an equal number of uncertainties, such as whether the appointment of Data Protection Officers will be mandatory and whether the role of “consent” in processing will be amended. This means unfortunately that it is difficult for any organisation to anticipate changes, as until there is a final Regulation we are all speculating. That being said, some commentators have drawn attention to various items that organisations may want to review or consider now, as these items would make sense for any organisation handling personal data regardless of reform. This list is by no means comprehensive:
- Plan and develop processes for carrying out data protection impact assessments;
- Review existing policies and procedures, identify where data is processed within an organisation, conduct a gap analysis in respect to those policies and procedures, and identify key stakeholders to support and develop an accountability programme;
- Try to future-proof deals being negotiated now by carefully documenting responsibilities of the parties, trying to take into account likely changes in the Regulation such as consent for sub-processing, security standards and risk allocation.
So, for now, this is a small step for privacy and we all await the likely final text of the Regulation. HireRight will continue to monitor any reported developments as we all await the “giant leap” forward to the Regulation.
Please be advised that this is being provided for informational purposes only. It is not intended to be comprehensive and should not be construed or relied upon as legal advice. As with all legal issues, we recommend you consult your legal counsel.