Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.