By law, businesses must protect the information they use about their customers, clients and employees. Home addresses, bank details, invoicing and even holiday records all have to be stored and kept safe – sometimes you even need written permission to hold personal or sensitive information, such as staff sickness records.
Under EU proposals, the data protection rules that safeguard our private information are set to get tougher. Simon Goldburn explains what the changes could mean for your business.
Data protection law – set to change under tough new EU rules
EU plans are afoot to make significant changes to the way that a business deals with information it holds about an individual, to recognise that the information belongs to the individual and not the business. As a result, the individual will have the right to access, retrieve or amend the information, or to stop the business from using it, at any time.
The business will only have limited rights to use the information, and in many cases will have to agree a detailed plan with the individual setting out how the information will be used and how long it will be stored.
A business will also have to design, build and implement a system to ensure that it only uses the information in accordance with the plan and to alert the business if the information is used in any other way. The system will have to be kept under review and any breach will have to be reported “without undue delay” to the Information Commissioner’s Office and to the individual.
The Information Commissioner could then impose a fine of up to €1,000,000 (more for a larger business) and the individual could sue for any financial loss or distress that he or she suffers because of the breach. The same rules will apply across the EU, so if the business deals with an individual in another EU member state, that individual could make a complaint to the local regulator or sue in the local courts.
Where a business has more than 250 employees, or there is an imbalance between the parties such as between an employer and an employee, higher standards will be required.
The rules could be finalised in 2012, with a two-year transitional period. The Ministry of Justice has asked for comments on the proposals by 6th March 2012. Find more information in the Ministry of Justice’s paper “Call for Evidence on EU Data Protection Proposals - Regulation COM(2012)11 and Directive COM(2012)10”
Simon Goldburn is Director at Ascent Consultants.