This page contains a Flash digital edition of a book.
SNIA Europe update WHAT’S HOT


#dcsukarticle http://www.dcsuk.info/n/vjmy


The proposed European Union Data


Protection Regulation: Status and highlights by Matthew Byford, Associate, Squire Sanders (U.K.) LLP


On 12 March 2014, the European Parliament adopted a draft Data Protection Regulation1


to replace the 1995 Directive. The focus of the Draft Regulation


is data privacy, specifically the protection of individuals with regard to the processing of their personal data. The draft must now be considered by the EU Council of Ministers, where there is considerable resistance from several Member States.


IN CONTRAST TO THE EXISTING DIRECTIVE, which sets a minimum bar but allows Member States considerable implementation flexibility at national level, the Regulation would be directly enforceable in each Member State. One benefit would therefore be a harmonised approach to data protection regulation across Europe. If adopted in its current form, however, there are concerns that the Regulation would result in a consistently business-unfriendly regime across Europe. Highlights are provided in the Q&A that follows.


Privacy by Design/ Default


What does the Draft Regulation say? The Draft Regulation requires both data controllers and data processors to “implement appropriate and


proportionate technical and organisational


measures and procedures” to protect the rights of the data subjects, having regard to the “entire lifecycle management of personal data from


12 www.dcsuk.info I May 2014


collection to processing to deletion”. Privacy by default means that privacy settings must be set at a level which ensures that personal data will only be processed for the purpose specified, whilst allowing for data subjects to “opt in” to more extensive processing.


What are the implications for business? Businesses will be required to develop privacy by design/default tools and procedures that take into account relevant regulatory requirements and evolving industry standards. For the processing of


data considered to be “high risk”, businesses should consider embedding default settings, checklists, stop points, sign-offs, certifications, etc.


More generally, businesses should identify areas where data minimisation and purpose limitation strategies can be implemented. Default settings should be set at a level that ensures the lowest level of data processing and the highest level of data protection, but allows for consumers to actively consent to increased levels of data processing.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56