March 13, 2014, 12:41 PM — A law approved by the European Parliament on Wednesday and aimed at protecting citizens' privacy comes with sweeping penalties for breaches -- up to €100 million (US$139 million) or 5 percent of global annual turnover, whichever is larger.
The European Data Protection Regulation will apply not only to European companies, but any company that does business in the European Union.
"This means that U.S. companies, even if they do no business in Europe, should be prepared to meet or exceed the EU regulation for the purposes of business operations," said Ross Federgreen, founder of consultancy Compliance Solutions and Resources founder, in an email.
Breaches include transferring data out of the EU without explicit permission or using data in a way contrary to the obligatory privacy notice on corporate websites. Data breach notification must also take place as quickly as possible, ostensibly within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay must be submitted to regulators.
"These requirements are being created by politicians. Their definition of adequate security may be different from businesses. It is vitally important that privacy professionals understand the requirements," said Sam Pfeifle of the International Association of Privacy Professionals (IAPP).
The organization says there are four key areas to consider for compliance with the new regulation.
First, under the new law all businesses employing more than 250 staff will be required to appoint a Data Protection Officer. The DPO should have more than a compliance role, according to the IAPP. An effective DPO needs to be someone strategic, who can be involved in product development.
The IAPP also recommends setting up privacy steering committees or privacy working groups at every stage of product and service development. This would go a long way to implementing Justice Commissioner Viviane Reding's "privacy by design" framework.
In addition, data security does not equal privacy. "Many privacy professionals are focused completely on breaches and combatting them, but now they must take a wider view. Just because you haven't been breached doesn't mean you haven't committed a privacy violation," said Pfeifle. Processing of data must be carried out in full accordance with the new law. Where, when and why personal data is processed must be disclosed to the user.