When was the last time your organization had a data privacy health check? Prepare for the EU Data Protection Regulation.

What if customers’ personal data held by your organization were illegally or mistakenly disclosed or leaked to the public? The organization would end up in the news headlines with detrimental effects to the brand. Moreover, significant administrative penalties may be imposed on a company failing to fulfill its data protection obligations when the EU Parliament’s proposal for a regulation on data protection enters into effect.

The proposed data protection regulation is being further debated in the Parliament’s committees and estimated to enter into effect not earlier than 2014 with an implementation period.

So what is new?

Some of the provisions suggested are more stringent than what is in place today, at least for the majority of EU member states. Certain fundamental rights and obligations included in the proposal are required by Finnish law already today, and that goes for most EU member states. However, the intention is to ensure an equivalent level of regulation in all member states by a Data Privacy Regulation, which will come into effect as-is without further national implementation actions.

Will the EU function more as an internal market then?

The functionality of the EU as an internal market for electronic commerce is certainly not going to change overnight just through enhanced privacy protection. However, businesses and non-profit organizations can no longer put off compliance with the protection of personal data. It is important to ensure compliance with current provisions as soon as possible, in order to be prepared for the new world of data privacy:

1) Perform a health check regarding your company’s data protection practices, internal codes of conduct, and related documents.
Any amendments or specifications required in the internal guidance and training of the employees can be implemented already now. When the proposed regulation enters into effect, the internal rules and practices can be amended to meet the new legal requirements.

2) Ensure that your company has a proper action plan in the event of a personal data breach.
The organization needs to have a plan and processes ready, involving the management of the organization, the people responsible for IT, and also any public relations officers and legal advisors. The proposed regulation requires a notification to be made of the breach to the supervisory authority in a very limited timeframe.

3) Accountability
Under the proposed regulation, companies are required to be able to account for processing operations of personal data. This calls for maintenance of documentation of all such processing. The Finnish Data Protection Ombudsman recommends the drawing up of an Accounts for Personal Data account (in Finnish, “tietotilinpäätös”).

Do not perish
Lastly, it is good to remember that ensuring the necessary high level of data protection also entails that practical everyday measures related to data security have to be in place. For example, are you sure that access to your company’s personal data is only held by those authorized? Taking care of the data protection obligations is anticipatory risk management, and requires fostering of data protection. He who is ready will earn a competitive edge.

Wish to discuss the issues further? Please contact counsel Virpi Jalonen at PwC Corporate Law Services.

Issues like this and many more are also discussed at Amcham Legal Committee meetings. For more information on times and venues, please contact Matthew Wood at Amcham or Legal Committee Chair Maria Parker at PwC.