Having attended the Westminster eForum’s keynote seminar recently, which looked at preparing for the new European Data Protection Framework, here’s a quick summary of what the new regulation includes, and what people at the seminar were saying about it.
Summary of the new regulation
- An updated definition of personal data, which now explicitly mentions online identifiers, locational data, and genetic data.
- Consent will have to be explicit.
- Organisations must actively report data breaches.
- Some organisations will be required to appoint a Data Protection Officer (DPO).
- Abolishing the fee (max £10) which organisations can charge for subject access requests.
- New “right to be forgotten”, whereby in some circumstances individuals can request that an organisation erase all the personal data it holds on them.
- In some situations, national supervisory authorities will be able to take action against organisations in other EU Member States.
- Supervisory authorities will potentially be able to fine up to €1m or up to 2% of a company’s annual turnover.
Largely as expressed at the seminar by David Smith of the ICO
- Necessary modernisation – there was general consensus from all the speakers that the current framework is now out of date, and doesn’t adequately protect people’s privacy rights – especially their online privacy on account of significant technological developments in recent years, including widespread use of social media networks.
- Enhanced rights for individuals.
- Legal obligations for data processors.
- Businesses will be held accountable for having the correct systems and practices in place.
- Improved consistency (as opposed to harmonisation) across the EU.
Cons / challenges
- How to strike the right balance between better protecting people’s online privacy and use of people’s personal data by companies, and not putting overly onerous data protection burdens on businesses (especially SMEs), and potentially stifling technological and business innovation. Certainly, there has been an unprecedented number of suggested amendments made (estimated to be a record 5000!), and these will take some time to be processed and resolved.
- How to strike the right balance between using data for good (e.g. Lord McNally gave the example of helping identify and work with dysfunctional families), and not overstepping the privacy mark.
- Many of the speakers said that the “right to be forgotten” was an overstatement, with the title proving a problem. In reality it will be extremely difficult, if not impossible, to be totally forgotten everywhere online. However, the main point is for individuals to be able to say they object to their data being processed.
- Clive Davenport, of the FSB, was particularly concerned about the potential burden the new regulation would put on SMEs, and in general the feasibility of complete compliance was questioned throughout the seminar.
- Nick Stringer, of the IAB UK, spoke in favour of including the “pseudonymous data” subset to provide a reasonable and legal basis for businesses to process information. He further highlighted the need for striking the right balance between safeguarding online privacy and providing consumer benefits (e.g. data enables more effective marketing), and promoting business (data drives the digital economy, and digital advertising also drives many SMEs and start-ups).
- Mina Mehta of GSK also called for the balance between prescription versus proportionality
One clear message was that the framework is still a work in progress, and therefore people can and should act now in order to try and shape and amend it. Negotiations are expected to commence in June 2013, with results expected by the end of the year and the final version in place for summer 2014. So there is still time to act to try and make changes. However, the ICO also pointed out that there’s also time to get your house in order.