The current UK Data Protection Act (DPA) was ratified in 1998, just as the public internet has was taking off. Its replacement, the EU General Data Protection Regulation (GDPR), is expected to emerge from years of protracted negotiations onto the statute books at the end of 2015 or early in 2016.
It is widely agreed that the current rules are in urgent need of a refresh, given the huge changes that have taken place since 1998, with mobility, home-working and e-commerce all having taken off since that time and with a hyper-connected Internet of Things (IoT) world of driverless cars and smart homes just around the corner.
However, organisations could be forgiven for being unprepared for the changes. The legislation has changed markedly as it has bounced between the European Council, Commission and Parliament, but news of these changes emerges more often through leaks than via a formal announcement.
That said, there are some changes that are likely to emerge relatively unscathed. One is the requirement of companies that control and process personal data to appoint a Data Protection Officer (DPO) if they employ 250 people or more, or if processing such data is their core business.
Another is mandatory reporting within a certain time period, to both the authorities and people affected, of security breaches concerning personal data. And another requires companies to conduct a privacy impact assessment (PIA) to identify potential impacts on the privacy of individuals.
There are also likely to be changes in the way that consent is required for the use of personal data, although what will emerge on this is less clear.
Rik Turner, senior analyst at Ovum, said that the changes represent an updating of the current rules rather than a radical overhaul.
“We live in a very different world from 1995, which was when the last big piece of EU regulation in this area came out,” Turner said.
He continued: “It’s a world in which mobile working is the norm, with data being held all over the place. Today, we don’t necessarily know where our data is residing, and that’s clearly an issue for some countries and their citizens. This new legislation is making sure the regulations are appropriate to the technological landscape as it unfolds before us and takes into account how it has changed over the last 20 years.”
A survey of 150 UK businesses ranging from SMEs to large enterprises, commissioned by Fujitsu in December, found that by and large IT decision-makers welcome a tightening of rules around data protection.
Eighty per cent said that more stringent data protection laws are needed in this data-driven world, and 40 per cent do not believe that current regulation around data protection and privacy is adequate to protect an individual’s data.
Interestingly, 61 per cent would welcome larger fines for data protection negligence and would like to see them introduced. In the GDPR’s current draft, firms may be liable for a maximum fine of two per cent of global annual turnover in the event of a breach (down from a five per cent maximum in earlier discussion documents, but higher for large organisations than the current £500,000 limit). Persumably this is because they feel it will focus minds on the area of information security, for which they may be legally responsible.
However, only half said they are ready for the new GDPR, feeling that the new regulations need to be discussed as a matter of urgency in the boardroom.