2012 was an exciting year in the UK. The country was abuzz with Olympic fever, the Queen celebrated 60 years on the throne, and our very own Andy Murray became the first British man to win a Grand Slam Tournament in the best part of 100 years.
However, while we were busy being awash with national pride, the EU Commission was proposing legal reforms which have the potential to change the way in which every EU organisation (and beyond) operates when it comes to handling personal data.
In an attempt to modernise and strengthen the current rules regarding data protection, the Commission published its draft of the General Data Protection Regulation (GDPR), a comprehensive reform of the rules currently enshrined in our Data Protection Act 1998.
The draft sets out a number of provisions which aim to deal with the problems of the current system which have cropped up over the years as a result of technological advancement, globalisation, and fragmented enforcement of rules across member states. The key elements include the creation of a single set of rules, increased enforcement powers including an increase in potential fines, a duty on organisations to report breaches within 24 hours, and provisions giving people easier access to and more control over their personal data including a "right to be forgotten" and introduction of "data portability".
Since the Commission's first draft in 2012, progress has been slow. Back in December 2014 MEP's reached agreement on the European Parliament's position, adopting a revised draft of the GDPR and on the 15 June 2015 in Luxembourg, some 3 and half years after the Commission's first proposal, the Council of Ministers voted in support of a "General Approach" to the GDPR.
This General Approach saw agreement on a number of key areas including:
- Establishment of a single set of rules. Organisations will have to deal with one law, valid across the EU, avoiding the need to deal with member states' varying rules. The Commission has suggested this will save businesses around €2.3 billion a year.
- A reinforced "right to be forgotten", enabling citizens to have their personal data deleted if there are no valid grounds for retention.
- Companies based outside of Europe will have to apply the EU rules when offering services in the EU.
- An increase in the financial penalties that can be imposed on companies found to be in violation of the rules. Data protection authorities will be able to impose fines of up to €1million or up to 2% of global annual turnover. A big increase from the ICO's current limit of £500,000.
- The establishment of a "one-stop shop". Businesses will only have to deal with one authority instead of different body in each EU country in which it operates. Individuals will only have to deal with home national protection authority in their language, regardless of where the data is processed.
However, despite general agreement in these key areas, there are still a number of major differences of opinion which will need to be reconciled. Trilogue negotiations between the Commission, the European Parliament and the Council will begin tomorrow. It will be through these negotiations that the finer details of the regulation will be ironed out in a bid to agree on a finalised document.
It appears that the intention of the parties involved is to reach a consensus by the end of the year (2015). Whether that will happen remains to be seen, but we do know that progress is being made. If all goes according to plan, we could see the introduction of the GDPR in 2016/17. It is, therefore, time for businesses to start preparing by getting clued up on the likely changes and what will be expected of them under the new rules. With fines of up to €1million or up to 2% of global annual turnover likely to be introduced, it is not something businesses can afford to ignore!