On January 2012 the European Commission proposed a reform of the EU’s 1995 data protection rules to unify them in a single law, the General Data Protection Regulation. This regulation will directly be applied in the 27 Member States since, unlike directives, it does not require any implementing measures at local level. Therefore, it will revoke the current Data Protection Directive 95/46/EC and drop off the existing fragmentation of rules avoiding divergences in enforcement.
The new regulation that will most probably enter into force at the beginning of year 2014, establishes three main features that will affect organizations for the benefit of the data subjects’ rights and interests.
The proposed Regulation establishes the “Privacy by design and privacy by default” principle according to which the controller would be obliged to design the organizational structure, technology and procedures in a way that it meets the requirements of data protection. Therefore, the controller shall implement mechanisms for ensuring that only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes. More particularly, such mechanisms should make sure that those personal data are not accessible to an indefinite number of individuals in each organization. This implementation is a fundamental key for developer of software companies since they should adapt their programs for their clients to be able to comply with such requirements.
Secondly, Data Protection Impact Assessments (DPIAs) will be implemented where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. This obligation will fall on both the controller and the processor acting on the controller's behalf. The new Regulation establishes the minimum elements that should contain the assessment, i.e. a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data.
Finally, it has been introduced the mandatory appointment of Data Protection Officers (DPO) for public authorities, for companies above 250 employees and those whose core business consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. It is also being studied the possibility that a DPO be designated in those companies whose filing systems concern more that 500 data subjects and consequently a DPO will be compulsory in every private company. The existence in Spain of this DPO entails that it will not be any more necessary to notify the filing systems to the supervisory authority, The Spanish Data Protection Agency.
In the light of the above mentioned, the DPO will be an essential figure in the organizations since it will be the responsible in charge of implementing the culture of privacy in accordance with the general principle of this Regulation i.e. the "principle of accountability" which is materialized through the DPIAs, the Privacy by design and privacy by default principle and the close cooperation with the supervisory authorities.
This new regulation will require a big effort from the organizations in the compliance of their obligations related to data protection. Indeed, they will be obliged to recruit a Data Protection Officer at least for 2 years in order to comply with this new regulation.