Get ready for the new data protection rules
This year the European Commission published proposals to reform EU data protection law. The General Data Protection Regulation (the Draft Regulation) introduces new obligations for both data controllers and data processors, proposes new rights for individuals and strengthens the powers of the data protection authorities.
The Commission clearly intends for tighter regulation but the draft regulation is not expected to become law until at least 2015. Given some of the concerns expressed to date, it would be surprising if significant amendments are not made before the draft regulation is finalised.
Some of the current proposals that could affect both a company’s levels of risk and its compliance burden in the UK are set out below:
Mandatory breach notification
At present there is no general requirement for a data security breach to be notified to the Information Commissioner’s Office (the ICO). However, the draft regulation requires a data controller to notify the ICO not later than 24 hours after becoming aware of a breach.
In principle, this means that every breach is notifiable. Not surprisingly, the ICO has highlighted the danger that it will be swamped with notifications of trivial breaches and that a 24 hour notification period is unlikely to be realistic.
Broader definition of personal data
Until now, data protection legislation has only been concerned with personal data in the hands of the data controller. However, the draft regulation envisages a broader definition of ‘personal data’ that includes all data that is capable of identifying an individual, even if the person who actually holds the data cannot make the link.
This will put pressure on businesses to ensure that whenever information is collected or processed in a way that might refer to data subjects, there are policies and processes in place that ensure that there is an audit trail around the processing and that the data subject is informed of his or her rights, even when the information processed is very limited.
New obligations on data processors
Data security will no longer be the sole responsibility of the data controller. Under existing rules, the obligation of a data processor to comply with security requirements flows solely from its contract with the data controller. Under the draft regulation, ‘data processor only’ businesses will fall directly under the data security requirements of the new regime and will face a compliance burden.
New rights for individuals
A much touted ‘right to be forgotten’ is proposed, allowing an individual the right to delete their data at any time – of particular significance where an individual wishes to remove data posted online. Fierce lobbying against this by social networks may yet well see this significantly watered down.
Mandatory data protection officers
Data protection officers (DPO) will be mandatory for large private companies (with 250+ employees) and public authorities. The DPO must have ‘the necessary level of expert knowledge’ and must not take on any other duties that may result in a conflict of interest with the DPO role.
For many, the role will be broader than many current DPO roles and will include informing the company of its legal obligations, monitoring implementation, training, and notification of breaches. The draft regulation appears to see the DPO as an independent watchdog and supervisor, albeit one employed by the company.
There will be significant new sanctions for non-compliance. At the upper end, a fine of up to 2% of a company’s worldwide turnover is proposed for breaches of the draft regulation. This is much higher than the maximum fine of £500,000 that the ICO may impose.
To view our Technical Factsheet on Data Protection, please click here.
Prepared for Lockton, ACCA’s recommended PII provider, by Caroline Kenny, associate, Reynolds Porter Chamberlain LLP