Jumping the gun on EU data protection
Europe’s data protection regime is now nearly 20 years old, predating the cloud, social media and smartphones.
W
• It requires businesses to notify data security
breaches to their local data protection authority
within 24 hours but a committee of the European
Parliament suggests that it should be 72 hours.
It is fairly well known that changes are afoot to
the existing Data Protection Directive and the UK’s
associated Act. The changes currently being proposed
would affect all businesses, great and small, and
we are frequently asked what they should be doing
to prepare. However, it will be some time before an
agreement is made, and then even longer until the
new regulations are implemented into UK law.
• The draft suggests that the new rules should
apply to data on EU citizens processed
anywhere in the world, but the ICO questions
how this could possibly be enforced.
hen the current law was passed, I
was just getting the hang of surfing
the web with Netscape Navigator
and was about to be granted my
very own email address at university,
accessed through Pine. Suffice to say that the current
regime is looking more than a little out of date.
Pistols at dawn
Data protection is a contentious issue in the European
Parliament, with MEPs disagreeing over more than
they agree. The European Council has proposed
three thousand amendments to the 95-page draft
prepared by the European Commission - and it’s only
just beginning to sink its teeth into the detail.
A number of major issues have been raised about the
draft regulation that are yet to be resolved, for instance:
Original story found here:
http://www.computing.co.uk/
ctg/opinion/2285394/jumpingthe-gun-on-eu-data-protection/
page/1
2
• It places a significantly greater burden on data
controllers to make sure that their processes are
compliant. The UK’s Information Commissioner’s
Office (ICO) has complained that the suggested
new rules in this area are too prescriptive.
Accolade
OCTOBER 2013
• The draft gives data subjects the ‘right to be
forgotten’, for example on social networking
sites, but nobody seems to understand
how this would work in practice.
The ICO is also getting worried about how his office
will fund the significantly more rigorous regulation
if it isn’t allowed to charge data controllers for their
annual registration renewals. Will the European
Council really pass a law that requires governments
to increase taxes to pay for an expanded role for
an EU-mandated non-departmental public body?
Given all of this uncertainty, what should UK businesses
do now? First, they should get their houses in order
under the existing regime. It may be 20 years old,
but many of the existing principles look to be here
to stay. Complying with the current regime is a good
stepping-stone to compliance with whatever replaces
it - and in my experience, few businesses can afford
to be complacent about their existing processes.
BANG!