Data protection: Time to take action

Data protection: Time to take action


Author: Aisling Duffy

On 25 January 2012, the European Commission decided that a substantial overhaul of data protection regulation is required and issued its proposals for change.

The proposals are currently making their way through the legislative process in Brussels but, once approved, are expected to take effect at some point in 2014.

What does this mean?

If adopted in their current form, these reforms will introduce some very significant changes and will have a major impact on how organisations, which process personal data, must do so.

The extent and nature of the changes being proposed mean that it would be very unwise to sit back and wait for the reforms to be implemented and then to take action.

Instead, organisations, particularly those who rely on their ability to collect and process personal data or who process significant amounts of personal data, should be taking stock of their current practices, policies and procedures. Only then will they be able to 'hit the ground running' when the reforms finally arrive.

The changes

The proposals, as currently drafted, introduce many changes.

In particular, they will:

  • Make it compulsory for organisations to notify the Information Commissioner's Office (ICO) of every data security breach regardless of the nature or extent of the breach. In particular, organisations will be required to notify 'without undue delay' and where feasible with 24 hours.
  • Require that every consent obtained in order to ensure that the processing of personal data is fair and lawful must be 'explicit'. Currently explicit consent is only required where the processing involves sensitive personal data (for example information relating to medical conditions, religious beliefs, criminal convictions etc). This change will therefore require organisations to rethink the processes and documentation they use to collect personal data.
  • Mean that some obligations will apply directly to data processors. Currently the obligations in the Data Protection Act only apply to data controllers. This is therefore a significant change and will mean that many organisations who have enjoyed the relative comfort of not being caught by the Act, will be required to ensure that the way they collect and process personal data complies with the Act.
  • Introduce a right to be forgotten. This will enable individuals to request that their details are completely removed from systems and, subject to certain exemptions, not processed further. In addition, it will require organisations to take reasonable steps to ensure that any third party to whom they have passed those details, also removes them from their systems.
  • Introduce the power for the ICO to impose much larger fines for organisations which breach their obligations. Currently, the maximum fine that can be issued by the ICO is £500,000, and this is likely to increase to 2% of the global annual turnover of the organisation.


.now is the time to take stock of current levels of compliance within your organisation and to come up with a realistic plan to ensure that your organisation is ready for the changes.


For further information on the proposed reforms, to discuss how they might affect your business or what you can do to ensure you do not get caught out, please contact Aisling Duffy on 03700 865089 or at [email protected]