It has recently been announced by the European Commission (“EC”) that they intend to conclude negotiations on and finalise the new Data Protection Regulation by the end of 2015 at the latest, which will harmonise data protection law across all the EU member states and have wide reaching effects on how many organisations handle personal data.
In reality the regulation may not actually come into force until 2017, but when it does it will have immediate direct effect on each member state, meaning that employers will have no period of respite whilst the UK government implements the regulation.
Data Protection has become more of a central issue for both the UK and the EC over the past few years. In the UK, this has primarily been due to concerns of the Information Commissioner in relation to a number of high profile data losses and the aggressive marketing techniques of a number of companies who obtain as much personal data as possible and then proceed to bombard those individuals with nuisance calls, e-mails etc. This led to wider enforcement powers being given to the Information Commissioner, including an ability to fine an organisation without prior warning for a sum of up to £500,000. Organisations could be held fully accountable for the mistakes of their employees, such as leaving a lap top with sensitive data on a train.
Meanwhile there has been concern within the EC that there is a lack of consistency in relation to data protection across the EU member states. There is also a (probably quite justified) line of thinking that data protection regulation quite simply has not kept pace with technology advances over the past few years.
Whilst the full details of the EC regulation have yet to be finalised what is clear is that it will be more regimented and more onerous than the current obligations under the Data Protection Act 1998. Employers can expect for it to be mandatory to appoint a Data Protection Officer and to report certain breaches direct to the Information Commissioner. They can also expect stricter tests for the consent required to process data and more regulation for the transfer of personal data, particularly if the transfer is outside of EU states. Current proposed maximum fines are up to either 5% of global turnover or 100,000,000 euros, so compliance clearly becomes a key commercial consideration!
In preparation for the final regulations, employers should consider appointing and training a data protection officer if one is not already in place and reviewing data protection policies and procedures to ensure that they currently provide adequate protection. Data protection is a complex area and it is important to have the right systems in place and ensure that your employees are aware of and carry out their duties prior to the EC regulation being implemented. Simply reacting when the EC regulation comes into force could result in mistakes, breaches and heavy enforcement action against your organisation.
If you have any questions about this blog or any other area of employment law please Get in Touch
Other blogs of interest: