The text of the new EU Data Protection Regulation has now been finalised.
But we’re not quite at the finish line yet. You can even choose whether you think the finish line is when the Regulation gets its rubber-stamped approval (which is imminent), or when it is finally implemented (which is probably two years away).
Nevertheless, the notorious Trilogue negotiations are over. The EU Council and Parliament have agreed a compromise text. Years of uncertainty about whether there would be a new EU law, and what it would look like, are over.
What should you make of it? First, we did mean ‘texts’, as the Regulation (a new Data Protection law applying equally across all EU member states) is accompanied by a Directive (new rules for Data Protection when applied to crime and justice, implemented by each state with greater flexibility). Second, many of the headline-grabbers survive intact – many organisations will require a Data Protection Officer, mandatory breach reporting is coming, and the maximum monetary penalties are 4% of an organisation’s annual turnover, which represents something of a defeat for the EU Council, who aimed much lower.
Proposals to remove charges for subject access may make many organisations wince. Even at first glance, there are some surprises; most notably a requirement for parents to consent for their children to access some web services if under 16 – although this age can be lowered by national governments to 13. This proposal surfaced late in the negotiations, and its implications still need to be unpicked.
The Regulation is about identifying and dealing with risk, about building structures within your organisation, and taking a more organised, more proactive approach to Data Protection. The fundamentals remain largely unchanged; what the Regulation does is build a whole new set of structures and routines on top of those foundations.
The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.
Now is the time to Act!
There is a lot to learn and a lot to do in the next few years. Firstly, all Data Protection Officers and information professionals need to read the Regulation and consider its impact on their organisation. Here are the key points of the Regulation to get you started.
Secondly training and awareness at all levels needs to start now. This is where Act Now can help. Whether you want a relevant DP qualification or a short briefing on the Regulation to kick-start your preparation.
For Data Protection Officers (new and old), who need to get a formal qualification, our Data Protection Practitioner Certificate is ideal. The course looks at the current law as well as the forthcoming changes set out in the Regulation particularly the issues of consent, privacy impact assessments and data subjects’ rights. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.
We are also running a series of full day workshops throughout the UK which are filling up fast. More dates will be added soon. We can also offer full or half-day in-house briefings on the Regulation from the middle of January 2016.
Finally, for those whose budgets were depleted by the Christmas party or may just not have the time, we have planned a series of one hour webinars looking at various aspects of the Regulation in detail.