Are you ready for the replacement for the EC Data Protection Directive?

Pretty soon, the EU will adopt a modification of the new draft regulation for a general framework governing data production to replace the existing EU Data Protection Directive 95/46/EC that will set out the rules on the protection of personal data processed for the purposes of police and judicial co-operation in criminal matters. There are a number of changes coming, as summarized in this recent article on the draft regulation over on Outsource Magazine, but the following four appear to be the most important.

  • Registration:
    a requirement for data controllers to maintain documentation of all processing operations for which they are responsible
  • Consent:
    consent from data subjects must now be explicit, and, moreover, consent will not be valid where it is the result of a significant imbalance between the data subject and data controller (e.g. employer-employee)
  • Right to be Forgotten
    which means that, in certain circumstances, data subjects can require erasure of data
  • Enforcement
    which gives Data Protection Authorities the power to impose fines on a sliding scale up to 2% of worldwide turnover for breaches.

In other words, Europe, which is (thankfully) much more progressive than the United States (as someone has to take the lead) is taking greater measures to insure that a person owns his or her data, an individual has a right to force you to delete certain data that applies to them (if you have no right to it), a data controller is fully responsible for all data they collect and (have) process(ed), and any data controller that breaches their responsibility can be levied massive fines if the situation warrants.

In other words, depending upon how much POS data you collect, especially from your on-line operation, if you are doing business in, or even with, Europe, you are (likely) subject to these regulations and if you collect more data than you need, and save that data, you could be in jeopardy of breaching the new act. It would be a good idea to review the data collected throughout the organization, summarize it, and get legal’s advice, especially if the plan is to expand (supply management) operations in Europe.