Winchester Vacancies

A new era of data protection

The European Commission's proposals to overhaul data protection law are likely to have a major impact on public bodies, write Marc Dautlich and Samantha Livesey.

The European Commission's proposal for a Data Protection Regulation (the "DP Regulation") is the biggest change in data protection law in nearly 20 years and, in its current form, introduces new rules that will without doubt increase the regulatory burden on public sector organisations.

Published on 25 January 2012, the DP Regulation will come into force in 2014 once it has passed through the relevant legislative process in the European Council and the European Parliament.

Once in force, the DP Regulation will immediately become directly binding on all data controllers and data processors throughout the EU so ensuring harmonisation of data protection laws across the Member States. This in itself is welcome news as the current Data Protection Directive 95/46, which required the EU Member States to enact the legislation, singularly failed to achieve a harmonised EU data protection regime despite this being one of its main objectives.

However, there are plenty of concerns about the provisions of the DP Regulation and the additional layers of administration and cost which will inevitably result from its enactment. As the DP Regulation's accompanying objectives statement makes clear: the DP Regulation is designed to increase the effectiveness of individuals' data protection rights by "putting individuals in control of their data, particularly in the context of technological developments and increased globalisation." The consequence of increased rights for data subjects is, of course, more onerous obligations for data controllers, and for the first time, data processors.

Set out below are some of the main areas of impact the DP Regulation is likely to have on public sector organisations:

  • Data Protection Officers: As part of the new 'accountability' approach evidenced in the DP Regulation, all public sector organisations will be obliged to appoint data protection officers. The appointment will be for an initial period of two years and the role of the data protection officer will be to secure the organisation's compliance with the DP Regulation. The relevant individual must be allowed to operate independently and should report directly to management. The obligation to appoint a data protection officer applies regardless of the amount of personal data that is actually processed within the organisation. It is likely to place additional financial and administrative burdens on public sector organisations who should be ready to comply with the obligation upon the DP Regulation coming into force.
  • Notification: The DP Regulation will remove the requirement for data controllers to register with the Information Commissioner's Office. However, data controllers will be required to provide the ICO with details of its appointed data protection officer.
  • Accountability Measures: There will be stricter rules on the nature and extent of the documentation about processing which must be kept to demonstrate compliance with the new DP Regulation. At first glance this looks relatively innocuous but data protection officers are likely to be kept busy updating (or in some cases creating) this documentation.
  • Data Protection Impact Assessments: Public sector organisations carrying out high-risk data processing will have to carry out a review of their processing activities before being able to process personal data. The DP Regulation sets out a non-exhaustive list of categories of processing that will fall within this provision, for example health-related processing and large scale CCTV monitoring. Although privacy impact assessments (as they were previously known) are not new, they are not currently codified in law. Their potential impact, in our view, is not yet fully understood. Public sector organisations should consider what kind of guidance and skill sets will be necessary to carry out a data protection impact assessment in accordance with the new requirements and, in particular, how to deal with the outcomes where structural or "privacy by design" changes are needed to the data processing operation to ensure compliance.
  • Breach Notification: Notification to the ICO of breaches of the DP Regulation by public sector organisations will be mandatory and in some cases so will notification to the data subjects as well. Notification of the breach is required within 24 hours of the organisation becoming aware of it where it is "feasible" to do so. Data processors will also be required to notify their data controller "immediately". This tight timescale means organisations will have to review their current procedures for identifying and dealing with data protection breaches with a view to implementing continuous monitoring and reporting systems. The ability swiftly to undertake sufficient investigation of the nature and extent of the incident together with producing for the breach notification outline details of mitigating action that is to be taken, are likely to require close co-operation between an organisation's legal, IT, HR and senior management teams.
  • Fines: One area that is not going to be welcomed by public sector organisations is the new regime of administrative sanctions for non-compliance of up to 1,000,000 EUR. Non-compliant responses to a subject access request are likely to attract lower fines; whereas, serious data security breaches may well attract the maximum fine. For public sector organisations, the 100% increase in the fine could lead to an unbearable cost for already stretched budgets.
  • Expanded definition of personal data: The definition of 'personal data' has been broadened to cover any information relating to living individuals, and there are specific definitions for genetic data and biometric data. This is unlikely to help with the often tricky task of interpreting whether or not data is personal data for the purposes of the regulatory regime.
  • New protections for children: There are new provisions in the DP Regulation for data controllers processing personal data of children under 13, a concession compared to the under 18 threshold in the leaked draft regulation.
  • Consent: 'Explicit consent' from data subjects to the processing of personal data will be required under the DP Regulation. It will be up to the data controller to demonstrate that explicit consent has been obtained. Furthermore, where there is a "significant imbalance" in the relationship of the data controller and data subject (for example, within the employment relationship), consent will not provide a legal basis for processing. The data controller's obligation to bear the burden of proof for demonstrating consent is in line with the broader shift in emphasis under the DP Regulation to demonstration of compliance through the production of procedures and policies and adequate trails of consent. The UK has so far largely allowed its data controllers to work on the basis of implied consent for many processing activities, so the requirement for explicit consent is likely to require a major change in practice by many organisations.
  • Right to be forgotten: Data controllers will be obliged to delete personal data relating to a data subject where the individual withdraws consent, objects to that data controller’s processing of his information, or where his personal data is no longer needed. There is little indication of how this provision will be enforced or how low the threshold will be to satisfy the conditions to exercise this right. However, it is generally considered that this right will secure protection for individuals in respect of removing data from social networking websites and other on-line applications.
  • Data portability: Data subjects will have the right, where personal data is processed by electronic means and in a structured and commonly used format, to require data controllers to deliver a copy of that personal data to them to for further use by the data subject. This is likely to apply to public services suppliers who may well need to consider designing their platforms to accommodate this requirement.
  • Statutory liability for data processors: Data processors will for the first time in the UK have a statutory liability to implement appropriate security measures when processing personal data on behalf of a data controller. They will also be required to follow the instructions of the data controller and ensure the reliability of their staff in processing the personal data. This additional accountability for data processors will be a welcome change to public sector data controllers but should also be borne in mind by public sector organisations acting as a data processor and may well prompt a requirement to review and update their data processing and security procedures.

The DP Regulation is still in draft form and therefore could be subject to change between now and its implementation in 2014.  However, a number of the obligations set out above are likely to be included within the final DP Regulation, even if in modified form. With that in mind, whilst public sector organisations should not be fazed by the proposed obligations it is recommended that they do start planning for its implementation in good time to ensure compliance with the new regime of greater accountability.

Marc Dautlich and Samantha Livesey are partners at Pinsent Masons. Marc, who is also head of information law at the firm, can be contacted by email at This email address is being protected from spambots. You need JavaScript enabled to view it., whiile Samantha can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..