UK businesses will most likely be unprepared for the scale of the changes they face, as the new law is likely to come into force more quickly than would otherwise be the case.
Mike Gardner, head of intellectual property at Wedlake Bell, said: Clearly any protection in this area for consumers is a good thing, particularly when digital payment is becoming common currency. People do need to have a measure of control over the use of their personal information.
It concerns me, however, that some of the EU’s proposed measures could stifle innovation and impede economic growth. Unless UK plc voices its concern over the new rules from Brussels, it could mean a real headache for UK businesses. For example, under the current proposals any businesses with over 250 employees, will have to appoint for not less than a two year term a suitably qualified ‘data protection officer’.
There are believed to be more than 10,000 businesses in the UK who will face this requirement. It will clearly be an organisational and administrative nightmare to comply with this rule alone. Also, the 250 employees requirement is arbitrary and takes no account of how much personal information a business may have under its control.
The UKs Information Commissioners Office (ICO) has welcomed reform of the law, but has also expressed serious concerns about the prescriptive nature of the EU proposals and the additional burdens they could place on businesses, especially SMEs. In particular, the ICO has questioned the focus upon rigid procedures and rules, as opposed to a more risk-based, outcome-focussed approach.
Commenting on the potential impact of the regulation, Gardner said: “We have seen a number of well-publicised data protection breaches by organisations ranging from corporations to public sector and charities, which have had very serious consequences both from a reputational and financial perspective. If the new EU laws are implemented in their current form, businesses will certainly face increasing costs and scrutiny as well as more serious penalties if they get things wrong. UK businesses must prepare for these changes – doing nothing is not an option.
The timing of the new Regulation remains uncertain, but the European Parliament has already approved it by an overwhelming majority. Following that vote, the Commissioner responsible for the new Regulation described the Regulation’s eventual introduction as “irreversible”.
Wedlake Bell suggests that there is little doubt that sooner or later the regulation will have huge ramifications for data protection in this country and the rest of the EU.