There are eight main areas of the proposed EU data protection framework that organisations should take note of to help prepare for the coming changes, according to global IT security association ISACA.
1) Accountability and protection by design/default: Accountability lies with data controllers by requiring them to:
- Maintain documentation of all processing operations (to be made available on request to the supervisory authority);
- Conduct a data protection impact assessment for risky processing; and
- Implement data protection by design and by default.
2) Data protection officers: Organisations with 250 employees or more, or whose core activities involve regular and systematic monitoring of data subjects, must appoint an independent (employed or service contractor) DPO who reports to management.
3) Explicit consent: A data subject’s consent to processing of its personal data is freely given, specific and informed and requiring explicit consent (by statement or by clear affirmative action), which signifies agreement to the processing; the burden of proof is on the data controller. Where personal data is processed for direct marketing, the data subject shall have the right to object (shall be explicitly offered).
4) Right to be forgotten: Individuals can require erasure of their personal data and abstention from further distribution by the data controller. Where data was made public, the controller shall take all reasonable steps to inform third parties to erase links to, or copies of the data, and where the controller authorised the publication, it remains responsible.
5) More territorial reach: Data controllers outside EU with processing activities of data subjects residing in the EU will need to appoint a representative in the EU. Monitoring of behaviour will occur where individuals are tracked by applying a profile to enable decisions to be made/predict personal preferences (for example, cookies).
6) Data breach notification: Data controllers must notify any personal data breach to the DPA without delay and within 24 hours of awareness. If the delay is more than 24 hours, they must explain the reasons when notifying. In some cases, data controllers must also notify the affected data subjects without delay.
7) Sanctions: DPAs will be able to impose fines of up to 2% of annual global turnover.
8) One lead supervisory authority: The DPA in the member state in which a multi-jurisdictional data controller has its main establishment shall supervise processing activities of the data controller across all member states, applying various obligations to cooperate with other authorities.
This “one stop shop” is a significant change to the current position, and may lead to disputes between DPAs. If no decisions on processing are taken in the EU, the main establishment is where the main processing activities take place. For a processor, it is the place of central administration in the EU.
Marc Vael is director of ISACA and chair of the Knowledge Board.