The European Union is plotting to impose more stringent and prescriptive data protection rules on banks and other businesses, according to the compliance experts at the accountancy firm of EY.

The experts have provided a list of features that the next piece of Euro-legislation on the subject might include. It is awaiting its final reading in the European Parliament and will, if passed, take the form of a regulation that comes into force in the spring of 2018.

EY writes: "The regulation will replace directive 95/46/EC. It will apply in EU member-states without further consultation after a period of two years. Organisations are likely to welcome the harmonisation [EU-speak for standardisation] of laws across the 28 member-states. The introduction of new rights for individuals, such as the right to be forgotten and the right to portability, as well as the introduction of mandatory breach notification, are likely to increase the regulatory burden. Businesses need to...decide on the level of investment they need to make over the next two years."

Probable changes

The provisions that financial firms might expect out of this regulation-to-be, according to the present draft, are as follows.

• Fines of up to 4% of annual worldwide turnover. As a sop to the desire of each great power to impose 'super-equivalence' and extraterritorial rules on globally mobile businesses, the EU is proposing to let regulators impose fines as high as 4% of annual turnover or of €20,000, whichever appeals to them at the time. EY does not explain why any national regulator should feel the need to ask the EU for permission to levy any fine it likes, unless perhaps the EU is proposing to ban regulators from levying anything higher than these two amounts for the purposes of data protection. If this is the case, the appearence of an upper limit for the punishment that a bank can expect is to be welcomed.

• A wider ambit for the legislation. The new regulation-to-be is aimed at all data controllers and processors established in the EU and "organsations that target EU citizens." EU citizenship is supplementary to national citizenship and affords the holder rights such as the right to vote in EU-related elections, the right to free movement, settlement and employment everywhere in the EU, and the right to consular protection by other EU states' embassies in the wider world.

• Accountability. Every organisation, according to the present draft, should prove that it is 'accountable' by "establishing a culture of monitoring, reviewing and assessing data-processing procedures"; minimising data processing and the retention of data; building in safeguards to data-processing activities; and creating documents that describe data-processing policies, procedures and operations that it must then make available to its data protection supervisory authority on request.

• "Privacy impact assessments." These, according to EY, are assessments of 'privacy risk' in new systems and projects. The EU wants to make all firms undertake them when processing personal data in a risky way or on a large scale.

• Consent. Firms must obtain "freely-given" consent from consumers to process their data for specific purposes. They must tell them that they have the right to withdraw their consent. Consent, moreover, must be 'explicit' in the case of sensitive personal data or flows of data across borders.

• "Mandatory breach notification." This piece of EU jargon refers to organisations having to tell their data-regulators about so-called 'data breaches' (presumably instances in which they are breaking the data protection laws - perhaps even this one, after it has come into force) without undue delay and/or within 72 hours. They will not have to do so in cases where these events are 'risky to individuals,' whatever that might mean.

• New rights. These include the individual's right to be forgotten, which is basically the right to ask data controllers to erase all personal data without undue delay in certain circumstances. They also include his right to 'data portability.' This, in the strangled parlance of the EU, allows individuals who have given their personal data to firms to ask them to 'port' the data to other providers, presumably in the way that someone 'ports' a book from one shelf to another. Finally, there is the right to object to profiling - i.e. the right not to be subject to a decision based solely on automated processing. EY does not say it, but in today's political climate it seems likely that the regulation-to-be contains massive carve-outs for governments in respect of these rights.

• Privacy by design. Organisations, according to the draft that EY has seen, should design data protection into the development of business processes and new systems. EY rounds this section off with a mysterious ten-word bullet-point: "privacy settings are set at a high level by default."

• Obligations for processors. Data processors are to be obliged to do even more than in the past and will become officially regulated entities. Even though this is obviously the most important entry on the list, EY never mentions it again.

Not a high priority...yet

Last year EY and a body called the International Association of Privacy Professionals conducted a global information security survey. This indicated that data protection was not a high priority for businesses. Almost two-thirds of respondents stated, rather amusingly, that their "privacy maturity was only at early or middle stages of maturity." Two-thirds exactly said that regulatory compliance was one of their top reasons for "investing in privacy." Meanwhile, 31% of organisations said that they were planning to take on more people to deal with privacy.