The European Privacy Imperative as of 1st of January 2016

The EU Data Protection regulation will come fully into force across European member states by the end of 2017. However for the Netherlands the majority of the requirements will come into force as of January 1^st, 2016. The EU Data Protection regulation has numerous components, but one key element is that businesses, including multinationals, with a subsidiary in the EU, will now be held responsible for the protection of the data they process, including ISP’s and other third-parties.

As of the 1^st of January 2016 in the Netherlands, the law will require data controllers to immediately notify the Data Privacy Authority (DPA) of any security breach that poses a significant risk for the protection of personal data. The data controller may also be required to notify the affected individuals if the breach can result in consequences for the individuals’ privacy. Notification of the affected individuals is not required if the data affected by the breach is unreadable or inaccessible, by third parties (for example, if the data is encrypted).

For businesses, the message must be very clear that a privacy breach in the EU must be taken seriously. The fines are set on the highest category range (820K EUR), and up to 10% of the annual net revenue, or in case of a multinational 2% of their global net revenue.