recent work

New data protection law now in sight

Earlier this week the European Parliament decisively voted through the new EU Data Protection reform package in a clear endorsement of the proposals meaning that a new data protection legislative framework is now within sight after months of delay.

The vote, 621 in favour, 10 against and 22 abstentions shows a massive majority of support for reform – the clearest indication yet that despite reports in the media of countries like the UK dragging their feet on the issue – the law across Europe will change in the next year or so. The EU press release says this reform is “a necessity” and is now “irreversible”.

So what does that mean for the UK? Well the proposals are yet to be firmed up but the bar is going to be raised significantly. For instance, the fines to be imposed on firms that break the rules are to be raised to up to Euro 100 million or 5% of annual worldwide turnover. This is an increase on the previously discussed figure of Euros 1 million or 2% of annual worldwide turnover and the current limit of £500,000.  There is likely to be a broadening of the definition of data falling under the scope of the legislation, more onus placed on data sharing/processing arrangements, and a requirement to have professionally trained data protection compliance officers in many organisations.  The rights of individuals to have data erased will be increased.

The overriding principle underpinning the entire proposal is the focus on governance: on data controllers taking a more responsible approach to their processing of personal data; on having structured plans, policies, and procedures in place and an effective training and awareness program; and crucially, being able to provide evidence of having a good governance framework in place.