5 tips for any European and non-European entity involved in online business in the European Union.
Following the European Parliament vote on the EU Data Protection Regulation, the provisions of the latter are slowly becoming a reality. The following tips can help businesses prepare for the new rules.
1. Will the Data Protection Regulation apply to you?
The Data Protection Regulation will apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, whether the processing takes place in the Union or not.
2. Do you have your customers’ informed consent for what you are doing with their data?
Consent should be informed consent, given explicitly, by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes. This can be either by a statement or by a clear affirmative action that is the result of choice by the data subject, resulting in informed consent and ensuring that individuals are aware that they are consenting to the processing of personal data.
Clear affirmative action could include ticking a box when visiting an internet website or any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed data management and processing of their personal data. Silence, mere use of a service or inactivity does therefore not constitute consent. Additional attention in the data protection policy is given to automated individual ‘profiling’ based on their personal data, a practice regularly employed by web-based services.
3. Take care of extensive information requirements contained in the new Data Protection Regulation.
There is information in data privacy that needs to be provided to the individuals from whom personal data is collected (‘data subjects’) in a two-stage process. Companies not paying attention to detail are unlikely to get the data protection process right without consulting a data protection professional.
4. Enable subsequent access and erasure of data pertaining to a data subject.
Individuals may approach you even after they have given you their consent, suddenly requesting they access data or ask for data erasure, with the Data Protection Regulation prescribing precise procedures that needs to be in place when this happens. Note that the individuals shall have the right to be forgotten, and companies controlling personal data may be required to take all reasonable steps to have their data erased, including by third parties.
5. Consult professionals.
Aphaia is an excellent choice because we not only possess valuable legal, policy and operational knowledge and experience in the data protection field but also go beyond mere legal, business and technological understanding, effectively integrating all three of them.
