The EU Regulation is designed to replace the current multiplicity of EU data protection laws with a single set of rules to be applied throughout all Member States. Time is moving on so it’s important to keep on top of the discussions and updates being published.
Last month’s proposed revisions to Chapter IV (which deals with data controller and data processor obligations) are summarised below. However, it is worth remembering that “nothing is agreed until everything is agreed” in relation to the Regulation.
Greater discretion for data controllers – risk-based compliance
Businesses will be relieved to see greater discretion for data controllers in complying with the legislation as recent Chapter IV discussions in Europe have moved towards a risk-based approach to compliance.
A balance between privacy and entrepreneurship
The proposed amendments to Chapter IV suggest that data compliance obligations should be proportional to the organisation’s specific data processing activity and associated risks.
Once these activities and risks have been assessed, appropriate privacy and data protection tools should be instigated by the organisation.
Different activities, even where the same data is involved, may quite often have different consequences, requiring different levels of protection. The risk-based approach allows data controllers a more flexible approach in assessing their data compliance responsibilities within the context of their own particular business.
It appears that most countries welcome the risk-based approach, which they view as providing a good balance between protecting personal data and safeguarding businesses and entrepreneurship.
Chapter IV Proposed Revisions
Below are some examples of the revisions proposed by the EU Council:
- Data protection impact assessments are only required where “high” risk (for example identity theft, fraud or financial loss) to the rights and freedoms of individuals is involved
- The appointment of Data Protection Officers is voluntary (unless individual Member State legislation states otherwise)
- Only data breaches that are likely to result in “high risk for rights and freedoms of individuals” need be reported
- If stolen or breached data is encrypted or protected in such a way that the data remains indecipherable, there is no requirement to report the breach.
- Required levels of security measures will be established by considering multiple factors, including the nature, scope, context and purpose of the data processing to be undertaken, in combination with the cost of implementation and the technology available.
- Only where a data privacy impact assessment indicates that data processing would result in “high risk” to the rights and freedoms of individuals, the supervisory data protection authority should be consulted prior to the start of such processing
There is also a suggestion that data controllers may use “adherence of the processor to an approved code of conduct or an approved certification mechanism” to demonstrate compliance with the obligations of a controller. So organisations may find it well worth considering selecting only those data processors who have appropriate data security certification such as ISO 27001 or DMA DataSeal.
If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742. Or email email@example.com