Leading Cornish law firm Stephens Scown LLP has warned businesses that they will need to ensure their data protection processes are robust enough to meet tough new rules which have just been agreed by the EU to unify data protection rules across the region.
Stephens Scown advises that almost all businesses will need to change how they deal with customer data in light of these new rules and that it is highly unlikely that any business will be compliant due to the scope of the changes.
The new General Data Protection Regulation is expected to be formally agreed early next year and come into force within two years. The regulation was agreed earlier than expected, taking some commentators by surprise.
Measures include higher fines for data protection failings – up to 4% of global turnover or £20 million, whichever is the higher – and mandatory reporting of any data privacy breaches within 72 hours of the incident.
Jowanna Conboye, intellectual property solicitor at Stephens Scown LLP, said: “These new rules send out a clear message that every business must take data protection extremely seriously. The regulations call for ‘privacy by design’ – in other words, businesses must put privacy at the heart of their processes, not regard it as something that they bolt on at the end.”
The data protection rules cover all aspects of data – relating to both customers and employees – and the use that companies make of personal details to build up customer profiles. With companies conducting ever more business with customers online, privacy and security have become critical issues.
Conboye added: “The steady succession of cyber security incidents that have hit the headlines has propelled data protection up the business and indeed political agenda. It’s crucial to appreciate that it’s not just your own company’s website and systems that need to be secure – it has to reach along the chain to any partner businesses that process your data, such as website hosting companies and payment processors.
“Companies need to review all of these arrangements and ensure that the contracts they have in place with partner businesses are robust and that responsibilities and liabilities are clear.
“There is also a clear responsibility for businesses to ensure that they are open and transparent with customers about how their data may be used, and that they get consent for this where appropriate.
“Companies that get their data protection wrong will be counting the cost – the new fines could amount to very significant sums which could hit a business hard.”
Because the new rules are a regulation rather than a directive, they will come into force directly in each country in the EU. There will be no scope for individual countries to make any changes to them to water down the rules, although more stringent regimes may be introduced.