Data processors - such as IT services providers and other channel firms - will likely be expected to bear a much heavier burden when the new EU data protection laws come into force, not least because proposed penalties for breaches or simple non-compliance could be as high as €1m (£802,600) per company.
Peter Hall, partner in the IT team at UK-based international law firm Wragge and Co, speaking at this year’s ITDecisions Show at the London Barbican, says affected companies could be involved in anything from application maintenance to business process outsourcing. This is because the proposed legislation stipulates that, for the first time, “data processors” rather than just “data controllers” will be directly affected.
The challenge of complying with the proposed legislation could prove insurmountable for some, he suggests, particularly smaller IT providers that are already attempting to struggle on in tough times beneath a mountain of red tape. The price of failure will range from €250,000 to €1m or a percentage of global turnover, depending on what has gone wrong and the size of the firm.
“We have had data protection laws in Europe since 1995, and stretching back to the 1970s in the case of Germany. It is not a new kind of regulation, but it will change the scope of it,” Hall says. “It is aimed at increasing individuals’ control and transparency of the use of their own personal data, and the backdrop to this is social media.”
A series of spats between privacy regulators and social media operators over the past few years has spurred on the European Commission to revise the law surrounding data protection. Its latest 160 pages of proposals were put forward in January this year, with the intention of them becoming law within two years, he says.
One objective is to provide much-needed simplification and harmonisation of data protection law across Europe - surely an admirable goal. But Hall says the ensuing consultation has, perhaps unsurprisingly, uncovered disagreement among member states and within industry about the proposals’ effectiveness at protecting personal data, and their cost.
France and Germany tend to favour a more regulated approach, whereas the UK has until now been “pretty pragmatic” about data protection, Hall opines.
“This will affect a range of providers in terms of their use of personal data,” he says. “[And] the member states will have to enforce them.”
Hall’s view is that compliance costs will increase for UK services providers that process the data held by any organisations deemed to be data controllers.
The EU Article 29 Working Party’s Opinion 1/2010 from March 2010 defines a data controller as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”.
Some changes may appear subtle but could be more than the sum of their parts, and others could simply mean a lot more paperwork, he suggested, which might need to be done quickly - in some cases within 24 hours - to keep the company compliant, no matter how minor the breach or whether any damage to the owner of the data is likely.
“There will be mandatory reporting of all data breaches,” Hall says. “And there will be new mandatory contracts for all contractors.”
But too heavy a compliance burden can mean organisations take their eye off more important balls, Hall notes. At the moment, UK firms can make a judgement call on whether or not certain breaches need to be reported, but it looks as if that flexibility will be removed.
“Also, the European Commission can come to the service provider and ask what it is doing with personal data and it will have to provide them with the answer. There will be new security obligations, and an obligation to process information only on instructions from the data controller,” Hall says.
Data export is a headache for everybody with the law as it stands, but in future if personal data needs to be exported outside the EU (and a few other countries that have managed to satisfy EU requirements), the process will be even more onerous.
“In the UK if you outsource application maintenance to India, so they have to handle personal data, you do not worry about the people in India. But the EU says, ‘well, we do worry about whether your business is in India’ and you will need to cover off the export issue,” warns Hall.
There will be new data export contractual obligations on the part of the services provider - although there will be a few exceptions, such as in internal data transfer. But even those exceptions are likely to favour large corporations with more resources, according to Hall.
Viviane Reding, EU Justice Commissioner and vice president of the European Commission, says in the official 25 January statement: “Seventeen years ago less than one per cent of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe, in fractions of seconds.”
Reding notes that the protection of personal data should be a fundamental right but citizens do not always feel in full control of their personal data.
“My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information. The reform will accomplish this while making life easier and less costly for businesses,” Reding (pictured, left) says.
According to the Commission: “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.
“The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, while shopping, when receiving medical treatment, at a police station or on the internet.”
A strong, clear and uniform EU legal framework that does away with the current diversity of data protection rules across 27 member states will enhance growth, innovation and job creation as well as boost consumer confidence online, according to Reding. Projected overall savings for the EU are €2.3bn a year - even though the compliance burden falls far more heavily on data processors in the proposed legislation.
Stay on top of all the major news and views on gender diversity, which has become a major focal point for our industry in 2018
Distie adds £200m in organic sales to its UK top line in 2017
Lengthy saga set for conclusion, with investor group including Dell and Apple on course to complete $18bn deal