Preparing for the Data Protection Regulation

Data protection iStock 000011177922XSmall 146X219Local authorities will need to prepare for the burdens likely to be placed on them by the EU's Data Protection Regulation, write Bhavisha Mistry and John McDermott.

In April 2014, Microsoft was awarded approval for its Cloud services by the EU’s Article 29 Working Party on data protection. It shone a spotlight again on the issue of data protection and security in the post-Snowden era.

A draft of the European Commission’s proposed Data Protection Regulation (COM (2012) 11 final) (‘the Regulation’) was issued in 2012. If approved it is intended that it will replace the existing Data Protection Directive (95/46/EC) (‘the Directive’), widely held to be outdated and not fit for purpose in the internet age. The Regulation contains a number of reforms which will increase the regulatory requirements on public bodies regarding their processing and retention of ‘personal data’ (essentially data relating to a living person).

Once enacted the Regulation will be directly effective in all EU member states without the need for any domestic legislation to transpose it.

The Regulation is contentious, highlighting the conflicts between individual protection, data protection, and centralisation of European powers on the one hand, versus administrative burdens, freedom of expression, and the desire for greater member state autonomy on the other. It also raises the prospect of local authorities, already stretched by austerity-era cuts, facing greater administrative and financial burdens.

The measures in the Regulation most likely to impact on local authorities are:

Data Protection Officer: All public authorities must appoint a data protection officer for a minimum of two years. Whilst several entities can share a data controller, the requirement may impact on local authorities’ training and/or recruitment budgets.

Data security: Data controllers must implement appropriate measures to ensure the security of data being processed. This could place a strain on authorities’ overheads and training budgets. Training may be required to ensure that data controllers are kept abreast of data security risks and safeguards, and costs may be incurred updating security software and processes in order to ensure compliance.

Data security breach notification: Data controllers must notify the national data protection authority, e.g. the Information Commissioner’s Office, and in some cases data subjects, of personal data breaches within 72 hours of any breach. Whilst an improvement on the original proposal of 24 hours, it still increases the pressure on data controllers to monitor the authorities’ use of personal data, and gives a tight timescale in which to notify the relevant parties which may be difficult to comply with in practice.

Data Protection Impact Assessments: Local authorities will need to conduct impact assessments before processing any personal data which may pose a privacy risk, such as large-scale CCTV monitoring and the processing of personal data relating to children. As part of the assessment data controllers must consult the data subject or their representatives on the intended processing. 

This raises questions on how this will be practicable given the potential number of people who will need to be consulted, and the resources involved.

Furthermore, local authorities that process personal data on more than 5000 data subjects in 12 months will need to periodically monitor compliance with the Regulation. There is no specified monitoring procedure, but authorities will need to implement monitoring systems of some description in order to demonstrate compliance. Depending on the size of the authority and amount of data stored, this could prove particularly burdensome.

Consent: The data subject’s consent to the processing of their data must be freely given, informed and specific. The burden of proof is on the data controller to demonstrate that the appropriate consent was given. 

Data subject rights: Data subjects will have greater rights of access to, and in some cases a right to deletion of, their data. There is a potential “floodgates” issue of how local authorities will deal with increased requests for subject access, and for deletion of personal data, which is a new development.

Data subjects will also be entitled to request a copy of their personal data by electronic means and in a structural and commonly used form (“data portability”). Whilst targeted at online service providers, public authorities may still find themselves under the additional burden of complying with the data portability provisions, which could have significant cost implications.

Employment: Data Controllers must not rely solely on consent as a legal basis for processing personal data where the data subject is in a situation of dependence from the controller, which applies to the employee-employer relationship. Employers therefore need to ensure that another condition for lawful processing of personal data is identified and complied with, e.g. that the processing is necessary for the performance of a contract to which the data subject is a party, or is necessary to comply with a legal obligation to which the data controller is subject.

As around 2.5m people are estimated to be employed in local government, authorities may have to re-evaluate their processes and data stored in relation to their employees and identify the appropriate conditions for processing their employees’ personal data, which again could impose a significant administrative and financial burden for local authorities.

Conclusion

The EU Parliament voted to approve the Regulation in March 2014, however, the Regulation is still going through the legislative process and could yet be subject to change. Whilst there is no mandatory timetable in place, some commentators predict that the Regulation could be agreed in 2015 and come into force by 2017. However, it is worth bearing in mind that previous predictions have proved optimistic.

What seems clear is that the proposed regime under the Regulation is a lot more burdensome, and local authorities will need to be prepared for the extra costs and time required to comply with it.

Bhavisha Mistry and John McDermott are solicitors at national law firm Weightmans LLP