Compliance &Ethics - Society of Corporate Compliance and Ethics

More documents

Recommendations

Info

Featureby Robert BondUnderstanding the proposedEU data protection regulation»»The EU is in the process of revising its data privacy regime to harmonise data protection across its member states.»»The propsed Data Protection Framework will implement greater enforcement powers that apply to both data controllersand data processors.»»The Framework will focus on consent, breaches, data transfers, accountability, and liability.»»Individuals will have greater control of their personal data, and special protections for the data of children are included.»»Foreign businesses that target EU citizens will incur significant compliance obligations.Compliance & Ethics Professional May/June 2012BondOver the past few years, the EuropeanUnion (EU) has been consultingwith key stakeholders on the need tooverhaul the EU data privacy regime and toproduce a harmonized general data protectionframework.On the November 29, 2011, theEuropean Commission “leaked”an updated version of its draftGeneral Data Protection Regulation(Regulation) intended to producea harmonized Data ProtectionFramework for the EU, which amongother things will repeal the DataProtection Directive (95/46/EC). The proposedRegulation was finally announced on January25, 2012.The intention of the Regulation is “tobuild a stronger and more coherent DataProtection Framework in the EU, backed bystrong enforcement that will allow the digitaleconomy to develop across the internal market,put individuals in control of their own data,and reinforce legal and practical certaintyfor economic operators and public authorities.”However, the Regulation in its currentform imposes significant changes to the wayin which businesses will have to comply withdata protection laws and regulations in the EU.The European Commission considers thata Regulationwill be the most appropriate legal instrumentto define the framework for theprotection of personal data in the EU, sincethe direct applicability of the Regulationwill reduce legal fragmentation and providegreater legal certainty by introducinga harmonized set of core rules, improvingthe protection of fundamental rights ofindividuals, and contributing to the functionalityof the internal market.The key principles of the Data ProtectionDirective and the majority of the definitionstherein remain the same. However, thereare significant changes to some definitions,clarification over some of the principles (inparticular, consent), and reinforcement ofcurrent solutions for data transfers. Mostimportantly, there are new obligations for boththe data controller and the data processor withrespect to the role of the data protection officer,as well as obligations involving mandatoryreporting of data breaches, dramatic increasesto enforcement powers and fines, and specificresponsibilities with regard to the personaldata of children.24 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
FeatureBased on the wording of the proposedRegulation, businesses with entities in Europethat process personal data, use equipment inthe EU for processing personal data, or are notin the EU but process personal data of EU datasubjects or monitor their behavior, will incursignificant compliance obligations.As the Regulation applies to both data controllersand data processors, and dramaticallyextends the enforcement powers of the regulatorsand the fines for non-compliance (i.e., 2%of worldwide revenue for negligent or recklessbreach), businesses will need to prepare forinvestment in EU data protection compliance.The current Regulation runs to 116 pages,but our summary of the key provisions is asfollows:··The Regulation will be binding on all EUmember states from the date that it comesinto force. That date will be the 20 th dayfollowing the date of publication of theRegulation in the official journal of theEuropean Union, and the application ofthe Regulation may be two years from theaforementioned date. Our understandingis that it will take at least a year to debatethe Regulation and for it to be approved bythe EU, which means that we can expectthe Regulation to be published in its finalform and enter into force in the secondhalf of 2013, giving a two-year period forbusinesses to come into compliance by2015, although it is possible that it may beexpedited so as to come in to force by 2014.··The Regulation applies both to data controllersand data processors that have eitherlegal entities in the EU, or process personaldata of EU data subjects, irrespective of thelocation of the controller or processor; butthe Regulation does not apply where theprocessing is by an individual purely forpersonal or household activities.··Most of the current definitions of datasubject, personal data, and the like, remainthe same, except that sensitive personaldata now includes genetic and biometricinformation, and consent is defined as“any freely given specific, informed andspecific indication of” the data subject’ssignification for the purposes of processing.Also, “personal data breach” is nowdefined with respect to breach of securityfor which new obligations arise.··The data protection principles broadlyremain the same, although it should benoted that consent and the mechanismsfor gaining consent are provided in detailin the Regulation. Among other things,the Regulation states that consent cannotbe automatically implied with respect tothe processing of employee data, nor withrespect to the processing of the data of achild, where the child is under the age of 13and parental consent has not been given.··Fair processing statements or privacynotices will have to be in plain and intelligiblelanguage, and drafted with certaindata subjects in mind, “in particular forany information addressed specifically toa child” (where a child here is defined asunder the age of 18).··In a privacy statement or privacy notice,Article 12 indicates that there needs to bespecific information given to a data subjectwith respect to the nature and purposesof the processing of their data and of theirrights. There are also detailed requirementsin relation to profiling and the collection ofdata via social network services.· · Although subject access requests are stillpermitted, Article 17 additionally providesthe “right to be forgotten” and to haveCompliance & Ethics Professional May/June 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 25
Page 3 and 4: Letter from the CEOby Roy Snell, CH
Page 5 and 6: “ ”Ethics and compliance operat
Page 7 and 8: NewsWebsites uncover petty briberya
Page 9 and 10: SCCE NewsSCCE conference NewsNation
Page 11 and 12: SCCE NewsNewsContact Eric Newman at
Page 13 and 14: Help Keep YourCompliance ProgramFul
Page 15 and 16: FeatureMueller places on compliance
Page 17 and 18: Featurea copy of which is provided
Page 19 and 20: 10th AnnualHigher EducationComplian
Page 21 and 22: Boehme of Contentionby Donna Boehme
Page 23: Ohio··Tim Butler, Teradata Corp·
Page 28 and 29: Get expert guidance with:The Comple
Page 30 and 31: Featureby Peter J. CrosaBuyers on t
Page 32 and 33: Featurecannon and will eventually s
Page 34 and 35: Featureby Marlowe DomanIt’s time
Page 36 and 37: FeatureCompliance & Ethics Professi
Page 38 and 39: Compliance & EthicsRegional Confere
Page 40 and 41: Featureby Roz BlissEthical decision
Page 42 and 43: FeatureHowever, it takes more than
Page 44 and 45: y Dan Small and Robert F. RoachPowe
Page 46 and 47: it is amazing, wonderful work, if i
Page 48 and 49: y Adam TurteltaubThe economy, compl
Page 50 and 51: y Justin EstepOverzealous I-9 compl
Page 52 and 53: Frederico Melville NovellaChairman
Page 54 and 55: y Gilbert Geis, PhD and Henry N. Po
Page 56 and 57: It is the policy of the company to
Page 58 and 59: Compliance & Ethics Professional Ma
Page 62 and 63: prosecutors from demanding waivers.
Page 66 and 67: y Dawn LomerSocial media evidence:A
Page 70 and 71: y Eric R. FeldmanBuilding transpare
Page 74 and 75:
Compliance & Ethics Professional Ma
Page 76 and 77:
of a company’s “ethical culture
Page 78 and 79:
Feature The last wordby Joe Murphy,
Page 80 and 81:
SCCE’s 2012 Upcoming EventsLearn
Page 82:
Join us for SCCE’s 10th AnnualHig
show all

Compliance &Ethics - Society of Corporate Compliance and Ethics

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?