Tip:
Highlight text to annotate it
X
Mark Greenburgh: I am joined by Kirsten Whistfield, a director in our commercial contracts team who specialises in data protection.
Kirsten is going to be discussing the draft regulation published by the European Commission on data protection.
Kirsten, I think the draft regulation was published in January 2012. There has been some debate since then about implementation. Can you tell us where we are with that now?
Kirsten Whistfield: Well yes, there has been some speculation that the regulation will just fizzle out and not happen, but it is just that, speculation.
There's been such an amount of work from the European commission, the parliamentary committee and member states, and such an amount of debate about it, I think it will go ahead.
Mark: It's certainly high-profile at the moment, isn't it?
Kirsten: It certainly is.
Mark: As and when those new regulations do come into force, what are those key changes likely to be?
Kirsten: Well importantly, this regulation will come in with direct effect, which means there won't be any national implementation,
unlike with the directive where it was implemented into our national laws, in the UK that's the Data Protection Act 1998.
Many of the current principles that we have under the Data Protection Act will remain the same, but what will change is that they'll be toughened up and they'll get stricter than they were before.
There's also going to be some new things coming in, for example mandatory security breach notification, mandatory data protection officers.
There's a new right to erasure of your data or right to be forgotten, and also a right to portability of your data which is you being able to ask,
as an individual, to have a copy of your information in a certain format, or for your information to be passed to a new service provider.
What will be very important for service providers to the public sector is that for the first time, service providers who are data processors will be caught directly by the data protection laws.
So currently under the Data Protection Act, it only applies to the data controller which will typically be the public authority,
and not to the data processor i.e. their service provider. So that's going to change.
The other thing that's going to change and the one thing that has probably been most bandied about in headlines is that the penalties for non-compliance are going to be much tougher,
so we are going to be talking about €1,000,000 fines or potentially 2% of global annual turnover. So really eye-watering.
In fact, recently one of the parliamentary committees at European level who gave the regulation a big thumbs-up have proposed increasing that even further,
so it could potentially end up being €100,000,000 or 5% of global annual turnover.
Mark: But because the parliament's proposed it, it doesn't make it automatically law, does it?
Kirsten: No, that's right, it's just a proposal and we're waiting to see what happens.
Mark: Obviously, personal data is a key issue in the public sector, so under these new regulations, how much more effective will that be?
Kirsten: Personal data is a big issue for the public sector. They will typically hold much, much more personal data than the average business in the UK and a lot of that data might be really quite sensitive,
so it could be information about people's health, it could be information about children, or information about people's social circumstances.
Although the public sector won't benefit from one of the key aims of the regulations, which is to promote a consumerism online,
where they will benefit is that it will encourage people to use their services through new channels, such as through their websites.
I think one of the challenges for the public sector is that some of the obligations are going to increase their burden in terms of work,
so for example the right to have your data erased and the right of portability of data.
I think that what the public sector will need to watch out for as well is that things like the right to have your data erased could be misused by people who are wrongdoing and want to cover up what they're up to.
But the good news is that in many ways the public sector are probably doing a great deal in terms of complying already,
so many of them will have data protection officers anyway, which is one of the new requirements,
and also the public sector tends to have much more of a culture of notifications of data security breaches, which is one of the new requirements that will be coming in.
Mark: And is it envisaged that this will be policed by the information commissioner's office in the same way as the current regulations?
Kirsten: It will be policed by the information commissioner's office, but it may well be policed much more strictly than previously.
Mark: So how do these new draft regulations impact or overlap with existing Freedom of Information Act laws and requirements?
Kirsten: Well, freedom of information and data protection are really two different sides of the same coin, and the public sector has been grappling with both sides of the coin for many years.
So they will be used to getting requests for information and grappling with the question of whether actually the information requested is personal data and, therefore, should it be dealt with under data protection.
So for many years they've been scrutinising the question as to whether something or information requested is or isn't personal data,
so one thing that the public sector will need to watch out for when the new regulations come in is that the definition of personal data may well become wider.
So at the moment our definition of personal data in the UK has been shaped by guidances from the information commissioner and also some key cases such as Durant.
Now when the regulations come in, that may well change and we may go back to a much wider definition of, it's data relating to an individual.
Mark: Do you have any tips for us on reducing data risks?
Kirsten: Well, we don't have a finalised draft yet, so I wouldn't advise trying to future-proof what you're doing.
There are some things you can be doing now, though.
I would say carry out a health check to make sure that what you are doing is compliant at least with the current regime, so look for any gaps that you might have and key risks and plug them,
and that will get you in good shape for when the regulations do come in and that leap to the new regulations won't be quite as great.
I think there are a few things that it's always good to particularly focus on when you're carrying out one of these assessments, and I would say look at security in particular.
I'd say look at data management, because you don't want to be collecting data that you don't need in the first place, and, once collected, make sure you don't hold it for longer than you need to.
I'd also say look at your data sharing and disclosure protocols. You'll want to make sure that when you are sharing or disclosing personal data you're doing so compliantly,
and every party that you're disclosing it to is also complying with data protection obligations.
If you're the service provider, you need to start thinking seriously about this risk that for the first time you could well,
as the service provider, be directly liable for breaches of the data protection regulation.
Mark: Is that something that can be dealt with in a contract?
Kirsten: You could try to deal with it in a contract to an extent, but the liability could come directly from the regulators,
so if you're in breach you may find that they come after you directly rather than the public sector provider.
Mark: And finally, do we have any idea on when these new regulations might be brought into force as yet?
Kirsten: Well, it's been delayed and delayed and delayed. It probably will be around the end of 2015/2016, but again that's speculation, because we haven't had that confirmed.
Mark: Okay, Kirsten Whitfield, thank you very much.
Kirsten: Thank you, Mark.