The European Commission has signalled that Data Protection laws could face a radical shake-up in the next few years.
The Commission plans to introduce overarching European regulations which could be in place by 2014.
Guidance released so far indicates that individuals could see significant expansion of their rights, including their ability to seek compensation for data protection breaches. Data subjects can expect to be provided with more detailed information when making a subject data access request. Data subjects will also be entitled to know how long their information will be kept for. They may also be afforded the “right to be forgotten” meaning that they can ask for all data held about them to be erased.
Employers can expect to face more onerous obligations, including the requirement to appoint a compulsory data protection officer where there are more than 250 employees and data processing is a core function. The proposals also include stringent new responsibilities for companies to notify data subjects and the data protection authority of any data security breach within 24 hours.
The changes also include a new punitive regime for companies found to be in breach of data protection laws, which could include minimum fines of up to 5% of annual global turnover. At present the UK’s Data Protection legislation provides for a maximum fine of £500,000. The changes could therefore result in a significant increase in risk for some of the UK’s largest companies.
All these measures will necessarily result in a tightening of data protection policies, however, the proposals go further and impose a requirement that all policies and communications relating to data protection must be transparent and easily accessible.
Further detail about the regulations is expected to be announced in 2013 and we will of course keep you updated then. In the meantime, if you have any data protection queries, please don’t hesitate to contact your Legal Manager.