EU Data Protection – a new regime

18th July 2016

After only three years of EU discussions (brief by EU standards!), agreement has been reached on a new data protection regulation with the catchy title “the General Data Protection Regulation”. When implemented (this is likely to be spring 2018) it will represent the biggest change to data protection laws in over 20 years. Businesses need to be aware of these changes now in order to ensure that they have time to review their procedures and remain compliant. Rebecca Anforth, Commercial Solicitor at Murrell Associates, comments some of on the upcoming changes and what it will mean for businesses:
1. Greater consent and transparency requirements when collecting personal data. Businesses should begin reviewing internal processes, including online privacy policies and opt-out notices to ensure that they are compliant with the revised laws.
2. Larger businesses (with over 250 employees) will be required to appoint a data protection officer to regulate procedure and compliance.
3. Mandatory breach notifications need to be put into force, whereby businesses will be required to notify the relevant national authority of any serious data protection breaches as soon as possible. For example, if an English company’s data has been hacked, they must swiftly notify the Information Commissioner’s Office.
4. Data processors may be exposed to joint and several liability with data controllers, meaning that they could also be liable for breaching the new law. This is different to the existing legislation which only imposes data protection obligations on the data controller.
5. Many businesses keep information about users with a view to creating a detailed picture of them and this activity is commonly referred to as “profiling”. However, the new laws are likely to require that businesses obtain explicit consent to profiling in most cases.
The forthcoming changes will put additional administrative strain on businesses as they
move towards compliance – I advise businesses to start preparing for changes now and start marking data protection an integral element of business procedures.
If you wish to discuss any of the issues raised in this article or would like assistance with updating your terms of business please contact Rebecca Anforth, Head of Intellectual Property, on 01872 226999 or author of the article.
The information provided in this article is for general information purposes only and does not constitute legal or other professional advice and cannot be relied upon as such. Any law quoted in this article is correct as at 14 June 2016. Appropriate legal advice should be sought for specific circumstances before any action is taken. Copyright © Murrell Associates Limited, June 2016.