Data Privacy – A critical issue for business organisations

Data Protection has been gaining importance amongst the several fields of legislation that have an impact on the core activities of any kind of business and corporation. From the initial Council of Europe treaties, which began to establish criteria and guidelines for such regulation; through the EU Directive on Data Privacy, which has for many years set the legislative framework for Europe and for many other countries outside the EU also wanting to follow such a path; and now the imminent new European regulation, which will significantly increase obligations and procedures for all organisations.

The fact that the EU has decided to leverage the level of protection from a framework Directive to a unique Regulation for all member states, indicates how critical privacy is seen by regulators in the Union. It is clear that Europe, if it really wants to perform as a single and efficient market, cannot tolerate different legislative standards amongst the different member countries when it comes to determining how personal data must be treated. This is especially important for those categories of data treatments which, according to the current technological environment, will have a potentially sharp impact on individuals’ privacy (such as behavioural monitoring), or potentially effect data subjects in several countries at the same time.

On top of the need to implement an effective harmonisation, EU regulators have also sent a clear message to agents in the market, so that privacy is fully understood to be a fundamental right whose protection and respect must at all times be considered by any organisation dealing with personal data. The result is that the new proposed EU Regulation seeks to introduce new protection principles, expressed in new accountability standards, the introduction of concepts such as «privacy by design», or the establishment of a very strong system of penalties.

These new protection principles will add new obligations, in addition to those already existing, which any organisation dealing with personal data will be forced to respect. Amongst these new obligations, the following are particularly worth highlighting:

– Introduction of new documentary and inventory obligations;

– Appointment of a Data Protection Officer within the organisation;

– Introduction of compulsory notification procedures to handle security violations affecting personal data;

– Compulsory risk assessments prior to the treatment of certain categories of sensitive data;

– Compulsory consultations and authorisations from data protection authorities prior to certain data treatments;

– A detailed regulation of erasure rights to ensure the effective enforcement of the «right to be forgotten»;

– New procedures to ensure personal data portability; and

– Specific obligations on data profiling.

Consequently, future European regulation on personal data will imply more obligations and challenges to all organisations, located within the EU or outside its territorial scope.

In order to respond to such challenges, MERITAS has gathered a strong team of firms within the EMEA Region with the necessary capabilities, expertise and ability to provide the most comprehensive advice in this field – addressed towards the needs of businesses within the region, as well as those corporations with the aim of expanding or to establishing their businesses within the region – whose contact details can be found at the bottom of each of the country updates.

Carlos Pérez Sanz
Head of the Meritas EMEA Data Privacy Group

Please read article here: http://www.meritas.org/emea_data_privacy/dec-2013.htm