Hello and welcome to Iron Mountain’s Data Privacy podcast – Personal Data is not a Commodity. With us today is Steward Dresner. Stewart has written and researched extensively on data protection, privacy and freedom of information since 1975 and he was a founder and first chairman of the UK’s Data Protection Forum. He has spoken on Data Protection and Privacy Law at conferences across the US and Europe. In 1987 he established Privacy Laws in Business. The Privacy Laws in Business International report covers over a hundred countries with data protection legislation and proposed legislation. The Privacy Laws in Business website www.privacylaws.com provides details of the firm’s services and links to privacy information worldwide. Thank you for joining us Stewart.
Well it’s a pleasure Karen to join you, we at Privacy Laws of Business have been in this field for - it’s now our thirtieth anniversary year and we keep up to date by maintaining long standing and close relationships with the National Data Protection Authorities, the Privacy Commissioners around the world who interpret all the National laws and we provide links to all those sources on our website in the link section, so we spend all our time on this subject; we are sort of a laser beam of attention on Privacy Law around the world.
Great, well we are so happy to have you today. Just to get started let me ask you, can you tell us a bit about the new European Union General Data Protection Regulation and how it impacts companies in Europe.
Sure, it’s a new law which has been negotiated over a four year period where currently we have the European Data Protection Directive which was adopted in 1995 and this sets one system of law to cover personal data and sensitive personal data across all the member states. But for various reasons it is considered to be increasingly out of date after all the directive was adopted before the internet really got going and before a lot of people used email and mobile devices, so lots of things have to be updated to provide a seamless system of law across the European Union. As far as companies are concerned they always want one system of law, after all several European countries are really quite small with small populations such as Luxemburg and Ireland and for any multi-national company doing business across Europe it would be ideal to have one system of law. The trouble is as far as companies are concerned the current way the regulation has been agreed is that the standard is going up, that is more rights for individuals and so companies have to get their act together to improve the way- they have many more legal duties so they have to get their act together to meet these new demands. Some examples of how the regulation will affect companies for example - there are increased fines at the alarming end of the scale for both administrative problems and where companies ignore the substantive privacy requirements. The fines are now at the greatest extent the greater of twenty million Euros or 4% of annual worldwide turnover. I don’t want to be too alarmist because I don’t think companies can be hit by these kind of fines usually but is there to say privacy is important and the idea is that from the decision makers in Governments is that this is an important subject and it has importance similar to competition policy, monopolies and mergers, where very high fines of course are the norm. Other areas of substance is that there has to be consent or another proper legal basis for the processing of data often a consent to be given in the first instance but what about when data is processed later on down the line, so there is a comprehensive coverage of the way that personal data is protected. The term right to be forgotten is being used quite a lot, it’s from a Spanish case which went to the European Court of Justice but its best to think of that as a stronger right to erase data that is incorrect. Much has been written about right to be forgotten but I think anyone listening to this should think of it as a stronger right for someone to delete information which is incorrect or misleading. Another point is a right to object to receiving marketing information and profiling, profiling is at the heart of the tracking of data and the use of social media, so companies that use social media and the social media companies indeed themselves need to reflect on how this new provision will affect their services. There is a familiar thing for people listening from the US, that is, data breach notifications, this has been unevenly covered in Europe in the past and now there is a requirement to inform the Authorities if a company loses data or has it hacked into and the idea is to report to the National Authorities within seventy two hours of a breach being discovered and, obviously in some cases it can take longer to actually work out what’s going on but this provision stating clearly that this is something which should happen as soon as possible. Another point which has been reported is the requirement to appoint a Data Protection Officer often know in the States as a Privacy Officer or Privacy Manager and someone to report to someone at the top of the company and to reflect the idea this is something really important - a strategic issue for companies and not a sort of minor administrative detail so the regulation is saying this is something really important for companies to take seriously. Well that’s a few points, I can go on at greater length but these are some points which companies ought to know about the regulation.
Great, thank you Stewart and thank you all for attending today’s podcast.
For more information about data protection visit the Iron Mountain UK and US websites, thank you
And you are welcome to visit the Privacy Laws of Business website as well we have links to information in over a hundred countries www.privacylaws.com