Compliance With Incoming EU Data Protection Legislation

Posted by Shannon Walker

on October 30, 2013

stock illustration globe continents newspaper headlines in water

The European Union has drafted a set of amendments to its existing data protection legislation, which many argue is out-of-date and lagging behind technological progress.  The proposed changes represent a major overhaul of the laws surrounding the use of the personal information collected by companies, and will have a large impact on the way in which businesses operate within the EU.  International companies who currently comply with less severe data protection laws will have to alter how they collect and use personal data, and this could require a severe shift in business models.

Legislation Overview

The proposed legislation changes are centred on purpose limitation.  In a guidance published in April 2013, it is stated that “Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility to data controllers.  The concept of purpose limitation has two main building blocks: personal data must be collected for ‘specified, explicit and legitimate’ purposes (purpose specification) and not be ‘further processed in a way incompatible’ with those purposes (compatible use)”.

At the heart of this is the difference between anonymous and pseudonymous data.  Anonymous data is personal information collected and stored in a format which makes it impossible to discover the individual identities in the database.  Pseudonymous data is collected and then has personal details such as names replaced with unique ID codes.  It does, however, contain sufficient information to allow for the identification of an individual, even if this means cross-referencing a second database not necessarily held by the company who did the initial data collection.

Anonymous data is not currently protected by the Data Protection Act (DPA) based on the fact that there is theoretically no way to ascertain individual identities.  However, ensuring full anonymity is difficult.  Because personal information is removed following collection, companies could have raw, pre-anonymized data on file.  Furthermore, technological advancements have made it easier to access this raw data.  As such, new legislation will protect anonymous as well as pseudonymous data.

The notion of consent is also at the heart of the new laws.  In the abovementioned guidance, it is suggested that personal data cannot be used for a purpose unrelated to that for which it was initially collected.  This is to say that no explorative analytics or market research can be carried out based on handed-over personal data.  As well, it is being recommended that the legislation make explicit consent necessary for data collection.  Explicit consent is not currently required for companies to pass on personal information.

How does this affect global companies doing business in the EU?

The proposed legislation (which will likely be in place by 2016) will promote greater accountability from companies doing business in the EU as it relates to personal data.  The regulations surrounding data protection in the EU will be more clearly defined by this legislation, and fines for non-compliance will be stricter as a result.  As well, companies will be required to implement their own internal policies to ensure that they adhere to the new laws.  This shift of onus is the primary means through which legislators hope to increase accountability on the part of data processors, and should help to encourage a commitment to transparency from companies as well.

The policy restructuring that will inevitably be necessary for many conducting business in the EU will be a large undertaking.  Companies who utilize personal information will have to begin this process soon in preparation for the legislation’s start date, and the implementation of a whistleblower hotline and case management system is a straightforward first step in ensuring compliance.  As corporations are required to take more accountability as it relates to the use of personal data, a system which promotes transparency and provides a platform for anonymous reporting from employees can act as an important foundation for policy overhauls.  Furthermore, the implementation of an ethics reporting hotline and case management system has implications for corporate culture, as a company with these things in place has shown a commitment to transparency and accountability.

An ethics reporting hotline and case management system will therefore not only act as a liability reducer by helping to ensure compliance with new regulations, but will also help to boost a culture that is committed to ethical best practices.  With stricter fines for non-compliance and increased pressure on companies to be accountable for their data collection and use, it is crucial to establish a deep and efficient whistleblowing and case management infrastructure.  Ethics reporting hotlines such as Whistleblower Security Inc.’s will be compliant with the proposed data protection legislation, and can cover all of a company’s global branches simultaneously.

For more information, click on this link:

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

eBook: 5 Steps to Create a Whistleblower Culture