What will eu data protection updates mean for uk businesses?
Insight Contacts
Craig Chaplin
National Head of Commercial & IP
DD +44 (0)161 604 1642
M +44 (0)7801 583 882
Add vCard View Biography
Date: 09/02/12
It has become increasingly clear that current data protection rules have fallen behind the way people share information in the modern age. The current UK regulations are based on an EU directive developed three years before the incorporation of Google, nine years before the launch of Facebook and 11 years before the first tweet. With that in mind, the European Commission released its proposals for an overhaul of the EU data protection regime last week.
While the UK regime is relatively flexible, thanks to the continued guidance of the Information Commissioner’s Office (ICO), it has been widely acknowledged that the law is in need of updating to keep up to date with advances in technology and new personal data risks that are emerging.
However, although an update is welcomed in principle, the proposals are proving controversial. The general consensus is that, in an attempt to protect the individual, unreasonable and unworkable burdens risk being placed on businesses.
What will the updates change?
There are two main issues that will affect businesses – proposals regarding individuals’ rights over the use of their personal data, and new obligations which businesses must meet in terms of data protection.
With regards to the first issue, the proposals suggest that businesses will need to gain explicit consent to process personal data – rather than the implicit “opt-out” systems that are currently allowed. It’s likely that some companies will try to find new ways around expressly asking for permission to use personal details, potentially falling foul of the regulations in the process.
Individuals will also be able to request that all their personal data is erased by a business if it is no longer necessary for the company to hold it. If this data has gone public, the business will have to take steps to ensure that any third parties who may have processed the data also remove it. It’s not yet clear exactly how this could work in practice, but for obvious reasons it is likely that this would be an extremely testing task for affected businesses.
Secondly, there are also real concerns that proposed rules on reporting data protection breaches are overly onerous. When there is a breach, such as a hacked network, a business will have to notify the ICO and affected individuals without delay, and, where possible, in less than 24 hours.
An obligation to notify the ICO and inform individuals in parallel - and at short notice – could actually divert resources away from resolving the breach. The proposals do suggest that companies will be allowed to miss the 24 hour deadline if they have “reasoned justification” for doing so, so it is likely that many companies will rely on this caveat in the event of a serious breach.
Conclusions
It is likely that the updates will have significant implications for many businesses. However, they are still very much at the proposal stages – in all probability not becoming law until 2014 or 2015.
Within this timeframe, the regulations will probably evolve, but it is virtually certain that businesses are going to be expected to do more to protect individuals. We would advise that businesses take steps now to adhere to current best practice in the use of personal data, so as to be in good shape for the introduction of the ‘new world’ regime.
