Mark Woolley, Director, Reckon UK and developers of Virtual Cabinet

‘Businesses should prepare now and budget for a new, stricter, and more complex era of data protection in Europe’

Following three years of negotiations, the European Parliament has now finalised and approved new General Data Protection legislation that will set new standards for privacy for EU businesses. It sets the bar high and expects businesses to have ‘privacy friendly’ techniques such as ‘encryption and data protection by design and by default,’ in place along with the right systems and processes.

With the new legislation set to come into force in early 2018, Accountex presents an ideal opportunity for accountants to see how advances in document management technology and secure document portals are providing a simple to use and effective response to this latest compliance challenge.

For those that breach EU data protection regulations, the fines levied could be enormous with a maximum fine of up to 4% of global annual turnover for the preceding financial year. The fact that this is double the original 2% that was suggested implies a significant change in the mind-set and ‘privacy’ now needs to become an urgent item on Board agendas.

The main burden for companies is likely to be administrative as there are significant record-keeping requirements under the new law. For example, companies with over 250 employees require a data inventory and significantly more data processing situations will require the ‘free and informed’ consent of an individual before their data can be processed. Keeping an audit trail of that consent to demonstrate evidence of compliance and consents represents yet another challenge for the time-pressed business.

Here is a quick overview of the key points:

• Right of portability
• Right to be forgotten – new erasure rights
• Privacy by design
• All organisations to have a data protection officer if they have a large scale customer database or are processing sensitive data on a large scale
• Privacy impact assessments with a limited exception for SMEs unless considered high risk
• Notify security breaches to the DPA without undue delay and within maximum of 72 hours

Keeping data safe and private will be of paramount importance, both when stored and when communicated electronically. Emails will need to be encrypted with the use of a document portal, or alternative, as the regulation allows users to claim damages in the instance of data loss or as a result of unlawful processing. This could indeed prove costly to businesses both in financial terms and in terms of reputational damage.

A personal data breach is considered to be any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This has implications for any business acting on behalf of clients that has cause to email information relating to the client that could potentially fall into the wrong hands as the loss or unauthorised modification of an email address or a phone number would constitute a personal data breach.

The steps businesses should take now:

1. Protect against data security breaches with rigorous procedures that ensure emails cannot be sent to the wrong recipient
2. Use encrypted e-mail for communication of personal data – a document portal provides the highest levels of security and can be customised with own branding
3. Put in place clear policies for a timely response to any data breach and notify in time where required
4. Ensure procedures meet the standards laid down in the new regulations to demonstrate compliance
5. Check that you have legitimate grounds for the retention of personal data
6. When transferring data internationally, it will be important to ensure that there is a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection regulation.

The UK Information Commissioner has already suggested that some large organisations may need to budget up to £5 million for initial compliance reforms as ‘token steps to comply will not be sufficient’. With the risk of such high fines for non-compliance, businesses cannot afford to take the risk of leaving it too late to make such essential changes. They will need to adopt entirely new behaviours in the way they collect and use personal information and the planning needs to start now.

Processes and procedures will need to be reviewed to ensure businesses are not vulnerable and the systems put in place to ensure that all data is kept confidential. Privacy is the key word here and businesses should prepare and budget for a new, stricter, and more complex era of data protection in Europe with more requirements and more stringent provisions.