The current European privacy directive on the protection of personal data dates from 1995 and that is of course no longer appropriate in this era, where 250 million Europeans use the Internet every day. The new European Privacy Regulation meets the current requirements of this digital century, but what exactly is going to change?
It is important that all the rules and laws relating to the processing of personal data are laid down at European level, as we are working in a world in which data storage is increasingly cross-border. The Council of Ministers therefore agreed in June 2015 on the first subject for a new regulation, which lays down rules for the secure collection of personal data. To a large extent, this will ensure that companies have a clear framework for handling these data. On 14 April 2016, the European Parliament approved the new regulation.
Personal Data Protection Act
Many organisations use and exchange personal data. The most important rules for the handling of personal data in the Netherlands are laid down in the Personal Data Protection Act (WBP). The WBP describes what may be done with the personal data held by companies or organizations, but especially what may not be done with them. In addition, the WBP describes what your rights are if personal data are abused. This protection of privacy is becoming increasingly important for society and business in the digital world. Privacy legislation is now moving in this direction!
European privacy regulation
The new European regulation will be published in the coming months, after which organisations will have no more than two years to comply with it. The new regulation will replace the WBP after these two years. The WBP focuses in particular on the data controller for the processing of personal data, with the focus in the new European Privacy Regulation no longer being on the data controller alone, but also on the processor of the personal data. What we talked about in the WBP is that this new regulation refers to a processor. In addition, more data are qualified as ‘personal data’ than is currently the case. Examples are location data and online identifiers such as IP addresses and identification cookies.
A number of changes in a row
Previously, the data controller had to notify the Authority of the fact that they were processing personal data, whereas a data processor does not have to notify the Authority of this. In the new European Privacy Ordinance this will no longer be the case. This will be replaced by a duty of documentation for all data controllers and processors of personal data. The obligation to report data leaks will simply remain in place.
In addition to these changes, the new bye-laws also contain several amendments to the current WBP. This new regulation also makes it compulsory for government agencies and bodies to appoint a data protection officer. In the private sector, this obligation applies to companies with more than 250 employees or whose core activities consist of processing data. It is possible to appoint a single data protection officer jointly with a group of companies. The role of data protection officer should not be that of a person in addition to his current job, but of an independent position in order to avoid conflicts of interest.
In addition to all these changes in the new regulation, it has also become an obligation to hold the documentation describing the personal data processed and to inform the parties concerned.
In general terms, the changes that the regulation will bring about are known. It is therefore important for organisations to start preparing themselves for the changes to come. Would you like to know more about a number of important aspects of the new regulation? In the next part of our blog we will discuss the terms privacy by default; privacy by design & privacy impact asessments.