After years of debate, the European Commission decided that a major overhaul of data protection regulation is needed, and issued its proposals for change in January 2012.
Since then, many businesses and organisations have put forward their arguments in support of certain proposed changes, and in objection to others.
The proposals are currently making their way through the legislative process in Brussels and are likely to be implemented in 2014.
If adopted in their current form, they will introduce significant changes and will require organisations to rethink their current policies, procedures and general compliance measures in order to bring them into line with the new requirements.
Among the major changes are:
Regulation not a Directive - the proposals, if implemented, will introduce a Regulation to replace the existing Data Protection Directive. As a Regulation, it will have direct applicability in all 27 Member States without the need for domestic legislation.
Compulsory breach notification - the obligation to notify the Information Commissioner's Office (ICO) is currently only compulsory for certain sectors. The Regulation would make it compulsory for all data breaches to be notified to the ICO without undue delay and, where feasible, within 24 hours. In certain circumstances this obligation will also extend to notifying affected data subjects.
Consent must be explicit - currently, consent required under the Directive must be 'fully informed and freely given'. If the Regulation comes into effect in its current form, this consent will also have to be 'explicit'.
Data protection officers must be appointed in certain circumstances - the Regulation would make the appointment of a data protection officer compulsory for organisations with more than 250 employees, public authorities or organisations whose activities involve the regular and systematic monitoring of data subjects. The Regulation also suggests that data protection officers would be required to possess certain minimum qualifications and will place certain conditions on their engagement, including that they must be appointed on a minimum two-year contract).
Individuals are granted a right to be forgotten - the Regulation gives individuals a right to be forgotten, and requires that where a data controller has made their personal data public they must take all reasonable steps to inform third parties that the individual has made a request to be forgotten.
Extended scope - the Directive currently only applies to data controllers established in the EEA. The proposed Regulation will extend certain obligations to data processors and will also apply to data controllers located outside the EEA, but who process data relating to residents of the EEA to offer goods/services to them.
The concept of 'consistency' will be introduced - to encourage harmonisation, the Regulation introduces a 'one stop shop', whereby organisations will be regulated by the data protection regulator in the country of their 'main establishment'. It also introduces a consistency mechanism encouraging regulators in each Member State to cooperate to ensure consistent application and enforcement of the Regulation.
The obligation to register with the regulator will be removed - organisations processing personal data are currently required to register with the ICO (unless exempt). If the Regulation is implemented in its current form, this will no longer be required.
Increased fines - the maximum fine that can be issued by the ICO is presently £500,000, whereas the Regulation will introduce tiered fines with the maximum set at 2% of the global annual turnover of the organisation concerned.
Removal of right to charge a fee for processing Subject Access Requests - data controllers currently have the right to charge a fee of up to £10 for each subject access request. The Regulation will remove that right, and data controllers will be required to comply with those obligations free of charge.
Whilst these are currently only proposals - which are likely to be revised as a result of lobbying and the call for evidence - significant changes to the current regime are inevitable.
So it is not surprising that many organisations are already taking steps to prepare, despite the fact the changes will not be implemented until 2014 at the earliest.
For further information, please contact Aisling Duffy at [email protected] or on 03700 865089.