Biggest Data Protection Shake Up for Years

March 1, 2012 1:44 pm - Categorised in: Commercial Law

The EU is proposing a new Regulation to enhance people’s data protection rights and harmonise requirements across the European Union.

“The law has been dragging behind the online explosion that has transformed the way we live and do business – this revision tries to catch it up” says Murray Macnab, Corporate and Technology Lawyer.

The consultation period will end in March and so the draft law may change – the Information Commissioner is lobbying for some materiality exclusions for minor issues.

The Good News:

Creates a level-playing field in the EU zone as all businesses in the zone AND those marketing to people in the zone have to comply
People can sue for data protection breaches and do not usually have to pay to get a copy of their data
Makes it clearer how data is used
Establishes a ‘Right to be forgotten’ – i.e. a right to have data deleted, even if it has gone public on a social network
No longer a need for controllers to register with the Information Commissioners Office (saving £35 p.a. for small and medium sized businesses and charities)

The Bad News (for organisations large and small):

Greater risks and compliance costs (especially ISPs)
Crucial need to update website privacy policies, opt-outs, consent wording and the process for data capture, collection and usage generally – someone’s implied consent to data use will not be good enough
Those that handle, store and process data for others (data processors) are now liable too, not just those in control of the data (data controllers)
It will be up to the organisation to have meaningful, demonstrable and achievable internal procedures and practices
Crucial need to update all contracts where data protection is involved – especially between controllers and processors, over and above the current requirement to have a written contract
International data transfer outside the EU still requires additional safeguards, though there is some more help for data processors to cope with that
Businesses with over 250 employees or that are carrying out sensitive activities will need a Data Protection Officer and cope with other related responsibilities.

The draft Regulation will need EU approval so may not be in for quite a long time but business will need to be ready to comply with it.

“We have recently seen a change of focus within legislation, such as with the Bribery Act, to put the onus on businesses to create and administer internal policies and procedures to show steps to compliance. This Data Protection Regulation has a similar approach.

Good companies that care about their customers’ and other’s data will probably have the makings of relevant internal procedures in place, although these will need to be formalised” commented Murray. “ An overhaul of tick boxes and opt-ins on websites will be the tip of the iceberg.”

If you would like to know how the draft Regulation ends up or would like help with your website or data protection issues please contact Murray Macnab on m.macnab@ellis-fermor.co.uk or 0115 983 5225.

Back to News

Cookie	Type	Duration	Description
_cf_bm cookie for Cloudflare Bot Management	third party		https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies
_cfduid cookie for identifying individual visitors privately	third party		https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies
_cflb cookie for Cloudflare Load Balancer session affinity	third party		https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies
Google Analytics Cookie	third party	2 years	Used to distinguish users. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google Analytics Cookie	third party	24 hours	Used to distinguish users. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google Analytics Cookie	third party	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google Analytics Cookie	third party	30 seconds to 1 year	Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google Analytics Cookie	third party	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more. https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Mobile WordPress Cookie	session	Duration of the users session	This is a mobile cookie that indicates whether we are in a desktop or mobile view.
Mobile WordPress Cookie	session	Duration of the users session	This is a mobile cookie that indicates whether we are in a desktop or mobile view.
WordPress Session Cookie	session	The full session of the user	This is used by wordpress and uses cookies to store the current login /status of the user
WordPress Subscriber Cookie	persistent	1 year	This is used by wordpress and uses cookies to define what user level a logged in user is. This means access to different areas of the website can be limited depending on the user.
WordPress Subscriber Cookies	persistent	1 year	This is used by wordpress and uses cookies to define what user level a logged in user is. This means access to different areas of the website can be limited depending on the user.