The European Commission has drafted an update to the EU data
protection law, their first overhaul since implementation in
1995. The changes would introduce a single set of rules on data
protection, valid across the EU-a move the Commission says will
save businesses some €2.3 billion a year in administrative
costs.
Among the changes, the reforms set out more stringent rules
regarding data breaches; companies must notify the national
supervisory authority of serious data breaches as soon as
possible, and within 24 hours “if feasible”.
Companies with more 250 employees, whose core business involves
processing activities, will also be obliged to appoint a data
protection officer. Should the new proposals come into force,
companies that violate them could be fined up to 2 percent of
their global annual turnover.
Other proposals include harmonisation of administration
requirements; there will be one set of rules across the EU and
organisations will only have to deal with a single national data
protection authority in the EU country where they have their main
establishment. Further, EU rules must apply if personal data is
handled abroad by companies that are operationally active in the
EU market.
In a significant update, individuals will be given more rights
regarding the way their data is processed. They will also have a
“right to be forgotten”, giving them powers to delete
their data if there are “no legitimate grounds for
retaining it”. This data can include anything from an
individual’s name and email address, to bank details or even
posts on social-networking websites.
As an individual’s consent has to be “given explicitly,
rather than assumed” for his data to be processed, this is
will have far reaching implications for marketers. “UK
businesses need to be worried about the potential impact of the
Data Protection Regulation on their ability to market their goods
and services to consumers. Severe restrictions on the way in
which they can use personal data for marketing purposes will be
hugely damaging to sales,” said Chris Combemale, executive
director of the UK’s Direct Marketing Association.
The DMA says it’s particularly concerned about the draft text
regarding the right to be forgotten. The DMA says the current
draft is unclear on the point that the use of suppression files,
which are used to allow consumers to opt-out, will be exempt from
the “right to be forgotten”. Combermale added,
“We fully appreciate the need for data protection rules to
be in place to build consumer trust in sharing their information
with companies, but getting this balance wrong will have terrible
financial consequences to UK plc”.
The proposals will now be discussed by the European Parliament
and EU member states, and if adopted, will come into effect two
years later.
Share