The 1995 Directive is now being replaced by the EU General Data Protection Regulation (GDPR).
The final wording of the GDPR was announced on 15th December 2015. The European Parliament and the Council will now formally adopt the GDPR and it is expected to become law at the beginning of 2018. Intended to harmonize the data protection regime across the EU, the GDPR will be directly applicable to member states, eliminating the need for national data protection laws in the 28 EU member states.
The new law raises the bar for data protection in the EU and across the world. So what will this mean for international business and for the relocation industry in particular?
Let's start with what is changing.
One data protection law across all EU countries (and also extends to Iceland, Norway and Lichtenstein)
So there will finally be a set of uniform rules across the EU and RMCs will be able to deal with one regulator.
Application of law outside the EU
Businesses will be subject to the GDPR if they target EU consumers, even if the businesses are not established in the EU and do not use servers in the EU to process data. As a result, it is possible that the simple act of selling a product to an EU resident (even without actively targeting the EU market) and processing that one resident’s data during the sale, will be enough to trigger oversight by the GDPR. This has implications for providers of relocation services which target consumers directly.
To the surprise of nobody, the maximum fines for violations of data protection law will increase dramatically under the GDPR: up to 4 percent of yearly worldwide revenues. On risk management grounds alone, legal compliance should receive greater attention than ever before, particularly from global organisations such as RMCs.
Tighter rules on consent
Processing of personal information will become much more consent-based than under current data protection laws. It will be necessary for consent to be freely given, specific and informed. It can also be withdrawn at any time.
"Privacy by Design" and "Privacy by Default"
Service processes will require to be designed from the outset to ensure an adequate level of privacy for an individual’s personal data. The GDPR includes obligations for data controllers to adopt privacy by design and privacy by default principles. Controllers will have to ensure that the only personal data processed is the data necessary for each specific part of the processing, and that the personal data is not collected, retained or disseminated beyond the minimum necessary for those purposes.
We recommend that RMCs should focus on the following:
- Data collection and storage practices: review the scope of your EU operations, including the type of data you collect from the EU, what you do with that data, whether you need all the data that you collect and process, and how long you retain that data.
- EU regulatory compliance: review your current regulatory compliance and adopt a GDPR compliance plan for full implementation by Q4 2017.
- Privacy by design: if these principles are not already embedded in your company’s processes, then evaluate how to revise processes to achieve "privacy by design" compliance
Given the risk of eye-watering fines, it is vital for all organisations in the relocation industry to be clear about the practical impact of GDPR and to ensure that compliant processes are in place by the end of next year.