Amongst a number of themes and issues that are raised on a regular basis at our monthly Customer Data Management Group (CDMG) meetings, data protection and the need for harmonisation are consistently top contenders.
Recently, CDMG has covered the OECD Common Reporting Standard, MiFID II and the new Market Abuse Regulation, and will next be looking at regulations that focus on the asset management industry. Without fail, one of the greatest concerns is the lack of consistency in data protection law, both globally and in Europe. Whilst global harmonisation is a way off, EU regulation is a hot topic with various rules due to come into effect in the next few years.
The GDPR will replace the existing data protection directive and is intended to provide greater consistency of protection across Europe. The European Commission published a first draft in January 2012 and the European Parliament was accepting multiple amendments in March 2014. More recently, the Council has taken a general approach, representing a significant step forward, by forming the basis for trilogue negotiations with the Parliament and the Commission. However, it should be emphasised that the directive remains a draft and nothing more. It is anticipated that a final text will appear at some point mid-2016 to change the landscape of EU data protection.
Six takeaways from the current status of the proposal
- Penalties! Breaches of the directive may incur penalties significantly higher than those that exist in the present regime. As a result, firms should start familiarising themselves with the proposal with the view to developing an understanding of what to expect, and begin to establish a culture of monitoring, reviewing and assessing data processing procedures
- The scope of those covered by the new directive is likely to change. Currently, it only applies to data controllers established within the EU. The new directive is expected to include both controllers and processors within the EU, along with certain non-EU controllers
- Data controllers will probably have to ask for explicit consent from the data subject for the processing of data for a specific purpose. Furthermore, the consent will cease to be valid when that purpose stops, or is no longer necessary. This is a significant step forward in the protection of the data subject, where, at present, controllers can rely upon implied consent
- Internal records of data processing activities will need to be kept and stored and will probably include a more granular information set than the information expected from the equivalent national requirements today
- Data controllers may have an obligation to report data breaches to a supervisory authority. The report will have to submitted in a timely manner, without “undue delay”, therefore requiring internal processes to be put in place for detection and recording
- It is likely that the rights of data subjects will increase. Despite the first draft proposing a right to be forgotten, the amendments adopted by the parliament have been reduced to the “right to erasure”.
Political wrangling or harmonisation
The new directive is intended to bring synchronisation throughout EU states and their data protection laws. But the political wrangling which has caused the delay means that agreement of harmonisation still remains a distant dream, and nothing more than a draft directive, for those concerned.
If achieved, the new level of harmonisation will mean higher standards being imposed. Firms will need to put in place new procedures and policies to ensure compliance with the new directive. Whilst it seems that the proposal is still in early stages, the new directive will require much more from controllers and introduce new obligations for those who process data.