A comprehensive reform of the data protection rules is under way in the EU with the aim to harmonize the legislation pertaining to the handling of personal data in the member states. The reform is to be carried out with a new data protection regulation which would be applicable as such in all member states. The reform would bring about significant obligations to companies, the most essential of which include (1.) the obligation to appoint a data protection officer for a company in certain circumstances, (2.) heavy fines for violations of the rules, (3.) the obligation to notify about data breaches, (4.) the person’s right to be forgotten / right of erasure and (5.) guiding principles, according to which data protection must be taken into consideration already in the design stage of the services (privacy by design) and the more privacy friendly default settings (privacy by default).
The content and schedule of the reform is currently subject to fierce political battle. To summarize the situation, it is uncertain whether the reform will be carried out, what is the content going to be (if the reform is carried out) and when will this all happen. The Commission and the European Parliament are aiming that the reform would be passed before the European Parliamentary elections on May 2014 . There are obviously also other forces on the move that would prefer to see the reform pushed forward until 2015 or perhaps rather see the reform failing completely . Faced with such uncertainty, it is easy to convince oneself that it is not worth the effort to invest or to allocate resources to data protection matters at the moment.
Nonetheless, I would argue that whether or not the reform is passed, it is worth the effort to dig your head out of the sand in relation to data protection matters (if you haven’t already done this). If the reform is passed, companies will be fixing their data protection issues because the reform will most probably bring heavy fines to the table for unauthorized use of personal data. Or how does a fine of 2% or even 5% of your company’s global turnover sound? The fear of authorities in itself is a reason to get things in order.
However, the most important reason to invest in data protection matters is that public awareness and interest in these matters has increased rapidly. In other words, neglecting data protection constitutes a considerable risk for your company’s reputation . Therefore, it is worth the investment to address these issues now and not later. The revision and perhaps correction of your company’s procedures is easier to carry out under the current legal framework since there is no risk of heavy fines for unpermitted procedures. By fixing things in advance you can’t actually lose! If the reform is passed, you already have an understanding of your company’s situation and you can more easily make the necessary fine tuning before the reform enters into force. If the reform is not passed, you have in any case fixed an important aspect in your company, the significance of which will certainly not diminish in the future.
Finally, a word of consolation! Data protection matters are not rocket science. Companies just need to determine that how and what personal data is processed in the company (and yes, all companies process some personal data, unless you do not have any customers or employees). Once the determination work has been done, you should openly inform those people whose data you are going to collect about the processing.