The European Commission published draft proposals in January 2012 which aim to update data protection regulations and unify data protection within the EU.
Summary of Proposals
- Stricter requirements on organisations to adopt policies and procedures that clearly demonstrate how processing of personal data is carried out. Organisations will only be able to collect the minimum amount of data required for the task in hand, and can't retain data for longer than is necessary.
- Public authorities or commercial organisations which employ more than 250 people will have to engage Data Protection Officers.
- Individuals have new rights including enhanced rights to access personal data from organisations that are processing it, to object to data being processed and to have the processing stopped.
- They can also request that their data is erased where there is no legitimate interest in retaining it. In addition, if that data has also been made public, third parties who are processing it must be informed of the request for the data to be erased.
- Perhaps most importantly is the right not to be subject to automated profiling. This means organisations will be prevented from using this method to make decisions on individuals based, for example, on their credit scoring.
At the moment there is no general legal duty to notify regulators or individuals affected by data security breaches in the UK although the Information Commissioner's Office has published guidance on management of data security breaches and breach notification.
The draft proposals make this a requirement and state that where there are personal data breaches, data controllers are required to notify supervisory authorities without undue delay and within 24 hours "where feasible". Controllers will also have an obligation to notify individuals where the breach is likely to adversely affect the protection of their personal data or privacy.
There are heavy penalties for breaches and we suggest it would be sensible for organisations to conduct a thorough review of their data protection policies now to be prepared for change. .
Further information can be obtained from http://ec.europa.eu/justice/newsroom/data-protection/news
If you would like to speak to our team about data protection regulations and what it means for your organisation, click here.