Biggest Data Protection Shake Up for Years

March 1, 2012 1:44 pm - Categorised in:

The EU is proposing a new Regulation to enhance people’s data protection rights and harmonise requirements across the European Union.

“The law has been dragging behind the online explosion that has transformed the way we live and do business – this revision tries to catch it up” says Murray Macnab, Corporate and Technology Lawyer.


The consultation period will end in March and so the draft law may change – the Information Commissioner is lobbying for some materiality exclusions for minor issues.


The Good News:

  • Creates a level-playing field in the EU zone as all businesses in the zone AND those marketing to people in the zone have to comply
  • People can sue for data protection breaches and do not usually have to pay to get a copy of their data
  • Makes it clearer how data is used
  • Establishes a ‘Right to be forgotten’ – i.e. a right to have data deleted, even if it has gone public on a social network
  • No longer a need for controllers to register with the Information Commissioners Office (saving £35 p.a. for small and medium sized businesses and charities)

 The Bad News (for organisations large and small):

  • Greater risks and compliance costs (especially ISPs)
  • Crucial need to update website privacy policies, opt-outs, consent wording and the process for data capture, collection and usage generally – someone’s implied consent to data use will not be good enough
  • Those that handle, store and process data for others (data processors) are now liable too, not just those in control of the data (data controllers)
  • It will be up to the organisation to have meaningful, demonstrable and achievable internal procedures and practices
  • Crucial need to update all contracts where data protection is involved – especially between controllers and processors, over and above the current requirement to have a written contract
  • International data transfer outside the EU still requires additional safeguards, though there is some more help for data processors to cope with that
  • Businesses with over 250 employees or that are carrying out sensitive activities will need a Data Protection Officer and cope with other related responsibilities.

The draft Regulation will need EU approval so may not be in for quite a long time but business will need to be ready to comply with it.


“We have recently seen a change of focus within legislation, such as with the Bribery Act, to put the onus on businesses to create and administer internal policies and procedures to show steps to compliance. This Data Protection Regulation has a similar approach.


Good companies that care about their customers’ and other’s data will probably have the makings of relevant internal procedures in place, although these will need to be formalised” commented Murray. “ An overhaul of tick boxes and opt-ins on websites will be the tip of the iceberg.”


If you would like to know how the draft Regulation ends up or would like help with your website or data protection issues please contact Murray Macnab on or 0115 983 5225.

Back to News