New EU Data Protection Regulations: High-Level Overview of The New Rules and Regulations
Even if sharing is allowed the new EU regulation prohibits personal data from being transferred outside the European Economic Area (EEA); Unless the data controller assures an adequate level of privacy protection. Ensure that if data is being stored on a cloud network that data is not being sent and stored in a foreign location or moved between facilities, this will result in violation. Encrypting data before entering the cloud can protect you, showing that the controller took the necessary steps to “meet the individual’s reasonable expectations of data privacy” in the case of data loss.
Each company (or corporate group) will have one national Data Protection Agency (DPA) as its lead regulator to ensure they are in compliance. The head DPA will be required to communicate with other DPAs whose citizens are affected. Most importantly, the Regulation creates an entirely new super-regulator in the form of the European Data Protection Board. The European Data Protection Board will give guidance and will oversee resolving arguments among the national DPAs.
There are two new categories of data, genetic and biometric data. These categories fall under “sensitive” or “special” classifications, and they include personal data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation. But pseudonymized data remains personal data and is viewed as a highly-recommended risk reduction technique.
Consent is not valid in a contract if the data owner is required to give consent to use his or her personal data that is not necessary for the use of the contract/service. This will have a significant impact on “free” apps and other services that rely on using users’ data to pay for the costs of providing the app/service. Different types of data require separate types of consent.
Companies have 72 hours to report a data breach to DPA unless the data controller can demonstrate “that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” Individuals must be informed that their data has been compromised “without undue delay if the personal data breach is likely to result in a high risk” to their “rights and freedoms.”
Having and enforcing internal data protection policies and procedures is a requirement, companies may need to present this information in the event of an incident. And all data breaches and following investigations must be documented.
Companies must appoint a Data Protection Officer if its primary activity is processing operations that require regular monitoring of data on a large scale. Or if it consists of processing large groups of data that fall under a special category of data such as “data relating to criminal convictions and offenses.”
People can now request that his or her data be erased if:
The data is no longer useful or being used in the matter that it was originally collected for.