How to avoid a €100 million data fine in Europe

Even US companies will be subject to the new data protection law

A law approved by the European Parliament on Wednesday and aimed at protecting citizens' privacy comes with sweeping penalties for breaches -- up to €100 million (US$139 million) or 5 percent of global annual turnover, whichever is larger.

The European Data Protection Regulation will apply not only to European companies, but any company that does business in the European Union.

"This means that U.S. companies, even if they do no business in Europe, should be prepared to meet or exceed the EU regulation for the purposes of business operations," said Ross Federgreen, founder of consultancy Compliance Solutions and Resources founder, in an email.

Breaches include transferring data out of the EU without explicit permission or using data in a way contrary to the obligatory privacy notice on corporate websites. Data breach notification must also take place as quickly as possible, ostensibly within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay must be submitted to regulators.

"These requirements are being created by politicians. Their definition of adequate security may be different from businesses. It is vitally important that privacy professionals understand the requirements," said Sam Pfeifle of the International Association of Privacy Professionals (IAPP).

The organization says there are four key areas to consider for compliance with the new regulation.

First, under the new law all businesses employing more than 250 staff will be required to appoint a Data Protection Officer. The DPO should have more than a compliance role, according to the IAPP. An effective DPO needs to be someone strategic, who can be involved in product development.

The IAPP also recommends setting up privacy steering committees or privacy working groups at every stage of product and service development. This would go a long way to implementing Justice Commissioner Viviane Reding's "privacy by design" framework.

In addition, data security does not equal privacy. "Many privacy professionals are focused completely on breaches and combatting them, but now they must take a wider view. Just because you haven't been breached doesn't mean you haven't committed a privacy violation," said Pfeifle. Processing of data must be carried out in full accordance with the new law. Where, when and why personal data is processed must be disclosed to the user.

Finally, the new law creates a so-called "one-stop shop." This means that companies do not need to deal with 28 different national authorities. A company's home-country regulator is likely to be the main point of contact. Businesses should foster a good relationship with their regulator, advises the IAPP. "Regulators have said time and again that they're not interested in fining and smacking down those who are trying their best. They want to focus on those who are ignoring best practices," according to the organization.

Some businesses, including some communications services providers, will also have additional complications to contend with.

"As it stands, mobile operators would be subject to a dual regulatory regime and restrictions that do not apply to other Internet players, including on their use of traffic and location data and separate requirements for customer consent. We call on the Council to reduce the inconsistencies between the Data Protection Regulation and the ePrivacy Directive," said Tom Phillips, chief regulatory officer of the GSMA, which represents the interests of mobile operators worldwide.

Heavy data users such as IT companies will also want to take special note of the regulation. Any search engine, social networking site or cloud storage provider must obtain prior authorization from a national data protection authority in the EU before releasing an EU citizen's personal data to another country.

"This will hamper Europe's ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies," warned Digital Europe, a lobbying group that represents 10,000 tech, telecom and electronics companies.

Although the law has been approved by Parliament, its final form has yet to be determined through discussions with the EU council of member states. Normally member states approve laws as a matter of course, but the Data Protection Regulation has been one of the most heavily lobbied pieces of EU legislation and remains controversial.

"It's a little bit too early to comment because the game is not played yet and we expect a lot of opposition in the council. We have said from the beginning that Parliament must take into account the smaller businesses, not just the Googles and Microsofts," said Luc Hendrickx, Enterprise Policy Director at UEAPME, the small and medium-size enterprise employers organization.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to jennifer_baker@idg.com.

Join the PC World newsletter!

Error: Please check your email address.

Tags regulationsecuritygovernmentprivacyEuropean Parliament

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jennifer Baker

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?