A new European data protection regulation has been delayed being passed into law, giving businessesw extra time to get ready for new rules on how they store and process customers’ personal information.
It looks like the new European Data Protection Regulation won’t be ratified until at least 2015, instead of 2014. But although the regulation is still being negotiated, it is now a step closer to being made into law, after being approved by the European Union’s Committee on Civil Liberties, Justice and Home Affairs recently.
The European Data Protection Regulation will introduce sweeping changes to data privacy, which companies must comply with or face the prospect of heavy fines.
For example, consumers will be given the “right to be forgotten”, where they can insist firms delete their data if there are no legitimate grounds for retaining it. It will also make it easier for customers to access their data and they will in future have to give their explicit consent for their data to be processed.
There’s a lot for firms to get their heads around, not least because the proposed regulation is much tougher than existing UK data protection law. It would oblige firms to notify the information regulator of all data breaches – which the UK’s Information Commissioner’s Office (ICO) does not currently require organisations outside the telecoms industry to do. That would mean that UK firms would have to tell the ICO if a memory stick containing clients’ personal information was left in the back of a taxi or a laptop containing sensitive data was stolen in a house burglary.
The firm would then have to identify those people whose data has been lost and inform them of that – a procedure that could be very expensive. It might have to hire a forensic computer investigator to work out how the data breach occurred, who is affected and how to put it right. It could require using a legal expert to spell out its obligations regarding how and what it tells those affected. The firm might also have to provide credit-monitoring facilities to customers so they can ensure hackers are not using their personal information to steal money from them.
Also, the level of fine for improper data storage or breaches would be far heavier under the EU proposal. It proposes fines of up to €100m or 5% of a company’s turnover, whichever is larger. That’s a massive increase on the currently situation, where the ICO can fine firms up to £500,000.
It’s an important piece of legislation – a single data protection law for all 28 states within the EU – so it’s necessary that everyone take a little more time over it to ensure they get it right. But businesses should prepare themselves for the new rules. That might cost them extra money, but that sum is likely to be small compared to what it could cost them if they get caught out once the new directive comes in.