The European Commission has published its framework for modernising data protection legislation across the EU.
The General Data Protection Regulation will replace the EC Data Protection Directive, which is implemented in the UK by the Data Protection Act 1998. It will apply directly across all 27 EU Member States, thus bringing greater harmony to the way in which personal data protection legislation operates, compared with the rather fragmented rules that apply at present.
Under the proposals, organisations will only have to deal with a single national data protection authority in the EU country in which they have their main establishment.
Some areas of the draft Regulation still need to be fleshed out, but the following measures are proposed:
- The introduction of increased penalties for non-compliance. This would involve a tiered system of fines, with a maximum fine of up to two per cent of an enterprise’s global turnover, or €1 million for other data controllers. Currently, the maximum fine in the UK is £500,000;
- An obligation for organisations employing 250 or more people to appoint an independent data protection officer. Failure to do so would attract the highest level of fine;
- The abolition of the blanket requirement to notify the national regulator that the processing of personal information is taking place. Instead, an impact assessment regime is proposed, with the data controller or processor obliged to notify the regulator where the assessment indicates that processing is likely to present a particular risk to data subjects;
- Increased accountability (including strict record-keeping requirements) and security measures, in line with current best practice;
- The mandatory notification of a data breach within 24 hours where feasible;
- A strengthening of the rules relating to processing personal data so that an individual’s consent is genuine and specific to the processing, not a general consent on a range of matters;
- Introducing the right to data portability so that individuals can obtain a copy of their personal data in a reusable, electronic format; and
- Data controllers must erase personal information where the data subject has withdrawn consent for it to be held or where the agreed storage period has expired.
It is also intended that companies based outside the EU that process data on EU citizens will be subject to the Regulation where the information relates to the offering of goods or services (or if they monitor the behaviour of EU citizens).
The proposals will no doubt undergo changes before they are submitted to and approved by the European Parliament, a process which is likely to take two years. Member States will then be allowed a further two years to implement the measures.