1: Icon-based privacy notices

 

With the imminent introduction of enhanced EU Data laws all companies must plan ahead to ensure they stay the right side of the law. Larger companies will create roles and processes and appoint DPO ( data Protection Officers). But where does that leave the small to medium business where such an appointment could badly affect the bottom line. Signing up for data protection as a managed service is one way. Relentless IT Solutions will be adding this service to its ever growing list of Cloud managed Services. Contact info@relentless-it.com  or go to sign up using our contact form at relentless-it.com  for more information

1: Icon-based privacy notices

privacy2A new concept is the requirement for information to be provided to individuals in two ways: (i) in a yes/no icon-based table; and (ii) in a detailed notice.

This means it is highly likely that businesses will need to update all of their existing transparency mechanisms to meet this additional obligation, incurring unavoidable external costs.

From an online shopper’s point of view there will be very little change except that privacy notices will be more prominent than before, but basic interactions with businesses online will essentially remain the same.

Beyond this, users of online services are unlikely to be aware of any extra protection afforded by the new regulation. In fact it may take decades before any real benefits become obvious.

4. Privacy impact assessments (PIAs)

Businesses will be required to complete PIAs at least annually and in some instances the data protection officer or supervisory authority will need to be consulted. This is another example of increased administration and costs for businesses as a result of the proposals.

However, businesses do need to think hard about privacy risk. In the long run, businesses everywhere will see PIAs as part of the core business.

5. Increased threshold for appointment of Data Protection Officers (DPO)

privacy3   The latest draft also introduces a requirement for all businesses processing personal data relating to 5,000 or more data subjects in any consecutive 12-month period, to appoint a DPO. It also introduces a two- or four-year minimum term for the DPO and they must also meet certain minimum criteria to be appointed.

What about the DPO proposal? we do not see it as being evidence-based. Businesses should have more flexibility about mechanisms they implement for monitoring compliance.