European Commission draft data protection regulation, which would require organisations to report data security breaches to the Information Commissioners Office within 24 hours “would be excessively burdensome” for charities, according to BWB lawyer Mairead O’Reilly.
In January the Commission published the draft regulation which would see local laws, including the Data Protection Act in the UK, replaced with one EU-wide law.
Under the proposals all organisations, including charities, with more than 250 people would have to appoint a dedicated data protection officer, and be required to carry out an impact assessment before undertaking any process that presents a privacy risk.
Financial penalties for non-compliance are also set to increase if the new proposals are adopted. The new upper limit for fines would be €1m (approximately £825,000) or 2 per cent of annual turnover. In the UK the highest fine the ICO can impose is currently £500,000.
O’Reilly added: “The regulation represents a significant toughening of data protection in Europe.”
Before the draft regulation can be passed into European law it needs to be approved by the 27 EU member states and then ratified by the European Parliament. This process will take about two years.
“Although it is likely to be some time before the new regime is implemented,” said O’Reilly, “charities should be engaging with the proposed changes and ensuring that data protection is properly factored in to their business planning and compliance.”
In March 2012 Enable Scotland was found to have breached the Data Protection Act following the theft of unencrypted memory sticks, and although the ICO did not deem the breach serious enough to warrant a fine, chief executive Peter Scott was forced to sign an undertaking promising to improve performance.
Having one data protection law across Europe does have its advantages though, according to O’Reilly: "It will mean that when sharing data with their partner organisations or implementing organisation-wide data protection practises, charities won’t need to check that they are complying with local data protection laws,” she said.