There are new privacy regulations in the European Union, and this has quite a bit of impact. Also for event planners and event companies. Lawyer Bart Van den Brande explains clearly what this means.
Hi Bart, welcome to our studio.
Today’s topic is new European privacy regulations. What changes?
Well, there are a lot of changes ahead. There is a new European Union regulation, as you said, that is going to become active as of first of May 2018. That regulation is going to change, fundamentally change the way companies treat personal data. Personal data being names, emails, addresses, telephone numbers. Anything that can help to identify an individual person is personal data. That regulation is going to change the way we work with that data. And contrary to what people seem to think at present… this is something that doesn’t only concern marketing departments within companies. This is something that concerns HR departments, accountancy, purchasing departments. Because they all have personal data in their databases.
Okay, so it’s a lot bigger than I thought. But what exactly changes then? What are the new regulations?
Well, that new regulation has two parts. One part concerns the way we collect and treat data. How do I get an opt-in from people that allows me to treat data? Which information do I have to give to those persons? Which rights do they have? One of the new things in that regulation is a right to be forgotten, for instance. People will have the right to demand that all of their data is permanently erased. And companies who get a demand in that sense don’t only have to erase the data in their database… but they will have to contact every third party to which they ever passed on that data, and ask them to delete that data as well. So this might have quite an impact on companies.
And then there is a second part in that regulation that has even an bigger impact. That is the way we process and store data within the company. One of the main new obligations in that part of the regulation is the obligation to… completely document every step of data processing within the company. You will get a data record that can prove if ever in the future your data is hacked or stolen… that can prove which data was treated when, how it was treated, who had access to it. So you’ll have to document the entire way your databases are managed on a day to day basis. You will need to put in place written contracts with all subcontractors that you use. Subcontractors being an email service, a hosting provider, marketing consultants… the advertisement agency external with which you work, HR consultants that you use. External accountants. Your lawyers.
It’s difficult to sign a contract with a lawyer.
If they have access to personal data you will need a written contract containing… certain mandatory clauses on data security, on guarantees given by those third parties. If you don’t have those contracts in place, if they don’t contain the right clauses, you will run the risk of running into a fine. And the fines in the new regulation are extremely high.
And what's extremely high?
Up to 4% of your yearly turnover, into the millions of Euros.
That's a lot.
That’s a lot of money. I don’t know a lot of companies that have 4% of their turnover in cash, ready, just to pay…
…to the governments, in a fine. It can cause serious financial…
And why are they so high?
Well, they are so high because the European Commission… The reason why this new regulation is in place is the bad reputation of international players like Facebook, Google or Apple. That in the past have not always been very careful with the way they treat data. And the European Commission has put in place new rules. They have to be able to touch, to get to those companies. And that’s why the fines are so high. Because we want to make sure that those companies as well are scared off… scared off is perhaps a bit heavy, but feel a sense of urgency to respect the rules. That’s why they’re so high. But as I said, they are very high as well for small companies.
Yeah, indeed, and on top of that, if you’re a small company and you need to achieve all those things, it’s like a fulltime job.
In reality it’s a fulltime job for a certain period of time. We expect medium size companies to require between ten and fourteen working days, probably, to get ready. And those ten to fourteen working days spread over a period of a few months. Because you need to map within the company where data is coming from, who has access to data… how data is treated, which contracts are in place, how data is coming into the company and leaving the company. Next step will be putting in place processes that guarantee data security. And changing or adapting or completing all contracts, or putting in place contracts if there aren’t any yet. Internal labour regulations within the company will have to be probably adapted. That will require the agreement of the personnel, with the staffing of the company. Those are things that take time. So we are expecting this to be a five to six month job. And companies should start in time because most companies…
But we have until…?
Until May 2018. But given the fact that you will need a few months to get everything in place and that you will most likely need external consultants… legal consultants on the one hand, IT security and data processing consultants on the other hand… and given the fact that there are not so many people really specialised in this field… and given the fact that almost any company in Belgium will need to start working on the preparations for this new regulation… it will be very hard to find the right people before May 2018 if you start too late.
So it’s better to start right now.
Better to start now, to get everything in place for the summer of 2017. And then watch your competitors fail because they can’t get everything done in time.
That’s a good idea, Bart. Thank you very much for coming over to the studio.
And you at home, thank you for watching our show. I hope to see you next week.