PwC data protection experts outline how the proposed reforms to the EU 1995 data protection rules published yesterday by the European Commission will impact businesses and individuals.
Lisa Banyard, PwC data protection leader, said:
“Implementing the proposals will present an increased administrative burden for businesses. Under the changes, organisations would be operating under a tougher regime where they would face increased accountability and heavier fines which could add up to 2% of worldwide turnover for the most serious breaches. In a move clearly aimed at those operating on the Internet, organisations dealing with personal data about EU citizens would be accountable even where they are located outside the EU.
“Historically, fines imposed in the UK for data breaches were fairly small but going forward this could change dramatically. Organisations will have to demonstrate how they are complying with the law by having proper policies and procedures in place. Sticking a privacy policy on the website will no longer be sufficient.
“The introduction of compulsory breach notification means companies have to report losses to the Data Protection Authority within 24 hours and that’s going to be tough for some companies to adhere to. Those that don’t already have a well-oiled reporting mechanism in place will need to implement measures to be able to flag breaches in time.”
Jonathan Nugent, data protection specialist, PwC Legal, said:
“The new proposals will shift power into the hands of individuals. In theory, once the proposals are implemented it should be much easier to access, move or delete whatever personal data companies hold on you. The new “right to be forgotten” will mean you can request that any personal data you’ve ever published about yourself online is deleted, and the changes will provide greater protection for personal data about children.
“The new right to data portability will also place an obligation on website providers to ensure that data exists in a format that allows individuals to transfer their information to an alternative service provider. It would apply to social networking sites most notably. For example, the fact you might have invested a lot of time building up your profile on one networking website would not matter as you would easily be able to move everything you have posted from one site to another.
“International businesses will welcome the moves to provide a more coherent framework for data protection laws in Europe, and the provision that companies only need to comply with the law of the country where their main headquarters is established.”
Ends
PwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 161,000 people in 154 countries in firms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See pwc.com for more information.