European data protection reform: the facts

European data protection reform:  the facts

How to protect data and passwordsFor those of us working in privacy and data protection you would have had to have been living in a cave for the last few years not to know that changes are on the horizon. However, there is a lot of misinformation out there about what’s happening and when. Articles frequently appear reporting on new changes and stating as fact things that are definitely not.

The truth is...

The truth is that the draft Regulation is still being negotiated, there is some way to go, and there is little you can do to prepare right now, as we don’t know what it will say on the key points. There is some direction of travel that we can identify, but on the issues that may be of most importance to companies there is a lot of disagreement between the Parliament and the Council, who need to agree a version for it to become law.

If you are not familiar with the EU legislative process, then I recommend the latest blog from the ICO on the topic, which explains very concisely and clearly what has happened to date, what is happening now, and what has to happen next.

What is likely to change?

In terms of what might change in some way, there are some key areas like consent, legitimate interests condition for processing and profiling where the wording is in flux and there seems to be disagreement between the Council and the Parliament. So it may be worth you or your government affairs team keeping an eye on any developments there.

It looks as though the provisions on international transfers will seem more restrictive from a UK perspective, as the ability to carry out your own assessment will disappear unless the transfer is small-scale and infrequent, and your assessment is a balancing test between your interests and the rights of the individual. At least that is what the Council propose. The Parliament has removed this option completely from their version.

What does seem likely is an increase in paperwork for those of us in a data protection officer type role. Both Council and Parliament versions of the draft Regulation require detailed documentary evidence of what you’re doing with personal data and how you’re looking after it. If you have a good governance programme in place, then you should already have most if not all the information you need, and it may just be a case of presenting it differently or more coherently should a regulator ask to see it. A lot of companies fail to carry out or maintain data mapping or data inventories and this is one of the basics that companies should be sorting out now.

Can you stay one step ahead?

So should you just sit and wait for the Regulation to be published? Well, there are some things you can do in the meantime if you have responsibility for data protection.  The best thing you can do is to make sure you’re compliant with the current regime. The ICO’s message is still ‘get your house in order now under the current regime, and you’ll go a long way to being compliant under the new one’. It might also be worth preparing a briefing for senior management or the board to make sure they don’t get panicked by misleading articles and they have an overview of what’s happening in case they are ever asked. You can also work with your government affairs team or similar to identify the key aspects of the reform that might affect your company most, and keep an eye on developments on these points.

And finally, remember that once the Regulation is agreed and published, there will be a two-year implementation period, and that’s when the hard work really starts!

A bit of help along the way

We have developed a data protection risk management guide to help you:

-          Minimise potential data breaches and resulting reputational and financial risk to the business

-          Remain on top of the changing regulatory landscape and the implications for your business

-          Demonstrate the value of your risk management strategy to the business

To view the data protection risk management guide for free; request a free one week trial.

Related Articles:
Latest Articles:
About the author:
Emma Butler is currently Senior Director Privacy and Data Protection for Reed Elsevier as part of their Data Protection and Privacy Group. Her focus is primarily on the European LexisNexis businesses. She is also the Data Protection Officer for LexisNexis UK.


Emma previously spent seven years leading the international policy team at the Information Commissioner’s Office (ICO) where she worked with other regulators and the Article 29 Working Party as well as advising businesses and government entities on UK, EU and international data protection and privacy legislation.

She has a degree in French, Italian and linguistics and recently completed an LLM in Information Rights Law and Practice. She has an ISEB certificate in data protection and is an active member of the International Association of Privacy Professionals.