Compliance &Ethics - Society of Corporate Compliance and Ethics

Featurepersonal data erased. This new right, inconjunction with the right of data portabilityin Article 16, will require businesses toimplement stricter controls over the managementof databases, particularly wherethey are outsourced.··Articles 16 and 17 now provide the rightto object to profiling, and detail the obligationsof companies that use profilingtechnologies.··For the first time, the role of the data protectionofficer is introduced for all but smallbusinesses. This will require businessesto put in place not only contracts for thisnew position, but also appropriate trainingand authority for purposes of compliance.We think it likely that the data protectionofficer will be the person responsible formaintaining internal compliance registers,and serving as the interface between thebusiness and the regulators.Compliance & Ethics Professional May/June 2012··The obligations for the data controller, jointdata controllers, and the data processor areredefined. In addition, the data processorwill have direct liability for compliance,which does not exist in the current regime.··While the concept of registration witha data protection authority is likely toremain in place, there is now under Article28 a new obligation for the controller andprocessor to maintain an internal registerof compliance, and to make this registeravailable on request to the Data ProtectionAuthority by virtue of its new powers.··There are enhanced requirements for datasecurity, and specifically in Article 31,there is a mandatory breach notificationprocedure for all but small enterprises.··There are new details in relation to PrivacyImpact Assessments and specific priorauthorizations and prior consultationsbefore data processing or data transfersmay be permitted. In relation to data transfers,there is considerably more detail onbinding corporate rules as a solution totrans-border data flows or trans-borderdata transfers.··Although there are other specific issues,the last one that we wanted to mention is inrelation to the new powers of enforcementfor the Data Protection Authorities whowill monitor, audit, provide guidance, hearcomplaints, conduct investigations, opineon compliance issues, and issue licences forinternational data transfers. Furthermore,with respect to breaches of the Regulation,there is a whole new range of penalties andsanctions with fines for minor breachesof 0.5% of a business’s annual worldwideturnover, rising to 2% of annual worldwideturnover in the case of intentional or negligentbreach of the Regulations.Although there is no guarantee that theproposed Regulation will be the final publishedRegulation, we anticipate that at thisstage few significant changes or additions willbe made, and therefore, we are starting theprocess of considering the full range of compliance,policies, practices, and procedures thatwill be necessary for small, medium, and largeenterprises, whether operating in a single EUmember state or operating globally. ✵Robert Bond is Head of Data Protection & Information Law atSpeechly Bircham LLP in London, England. He may be contacted atrobert.bond@speechlys.com.26 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977