Article contributed by ACCA
A look at the current rules around, and planned changes to, data protection.
A look at the current rules around, and planned changes to, data protection.
The Data Protection Act 1998 is the main legislation which relates to data protection and includes the powers of the Information Commissioner’s Office (ICO) and duties placed on organisations and their data controller. The main aspects of the legislation cover:
- an obligation on certain organisations to register with the Information Commissioner’s Office (ICO)
- the rights of individuals
- rules relating to sending personal data outside the European Economic Area
- the right to compensation
- exemptions
- rules on use of cookies and similar technologies.
New draft regulations were issued in January 2012 and it is expected that the draft regulations will be finalised around the end of 2013. They are likely to come into force in 2016. These regulations are due to be implemented directly by every country in the EEA with the regulations being the same in each country. These new regulations are likely to be more onerous than the legislation currently in place.
Main changes
Some of the main changes proposed by the new Data Protection Regulations are as follows:
- only data controllers were subject to the Data Protection Act 1998 whereas data processors will also be liable under the Data Protection Regulations
- the potential fines will be increased
- security breaches will need to be documented and notified to the regulator within a short period of time
- data processors will need to alert controllers immediately of any breaches
- global transfers of personal data will be more restricted
- non-EEA data controllers will be subject to the new regulations.
ACCA’s Technical Factsheet 176 provides more detail on the current requirements.
The Information Commissioner’s Office also has various guides on this subject, including this specific guide.