Data protection: Firmly in the boardroom?

Data Protection Day on 28 January saw the European Commission publish its proposal for revising the current European Union framework on data protection after two and a half years of consultation. Next stop is the European Parliament and the Council of Ministers, where the proposal is expected to face serious debate and further revision. While the detail of EU legislation can seem dry at first glance, the outcome of this process will have implications for the research industry of which we should all be aware.

Crucially, data protection is becoming a heavyweight issue, with those that breach the new framework facing the threat of serious fines – up to 2 per cent of global turnover – bringing the issue into sharp relief for large corporations and escalating it into the boardroom. The obvious benefit to data protection professionals is the likely increase in resources allocated to it, which will only add further to the significant role it will play in customer relations in the future.

New regulations
At a Privacy Laws and Business roundtable with the Information Commissioner’s Office (ICO) on data privacy in February I was one of 50 professionals who debated the proposed new framework. For researchers, the proposal makes some areas clearer; for example, consent for data collection and processing will have to be explicit, creating a single standard for all data processing and removing grey areas such as “implied consent”.

The right to be forgotten, as proposed in the new framework, was singled out for particular criticism around the table. This right, which has been promoted by European commissioner Viviane Reding at every opportunity, has been significantly reduced from the controversial leaked draft of the proposal which appeared in December. In effect, it now offers little more than current provisions on blocking and rectification of data. It does, however, create an expectation among citizens and consumers that their data should be deleted, even when it is necessary for credit records, fraud prevention or underwriting.

Researchers are likely to be well placed to put into practice the cultural changes the framework will enshrine; organisations with more than 250 staff will be required to appoint a data protection officer, an independent position protected from dismissal for a term of two years. This is a feature of German law, although the roundtable discussion noted the obvious flaw: the total number of staff does not provide an indication of the level or sensitivity of the data processing being undertaken by an organisation. An alternative approach would be to consider the number of staff engaged in data processing.

The use of Privacy Impact Assessments before data collection and processing will be more commonplace and this was supported by the ICO. Prior authorisation by the ICO for certain kinds of data processing is also envisaged. This is common in some EU member states and will probably also be required in the UK. In exchange for prior authorisation, the general requirement to notify the regulator of data processing will be abolished. This will have consequences for the ICO, which is currently funded by notification fees. Instead, a levy on UK data controllers was mentioned as a possibility.

Next steps
While the proposed regulation has taken more than two years to develop, it could be – and doubtless will be – radically changed in its passage through the parliament and council. It is rumoured that a German Green MEP, Jan Albrecht, will prepare the report on the proposal for the lead committee in the parliament. This means that while researchers may not have any great difficulties with the current proposal, the research sector will need to be closely involved in the next stages of the process.

The commission would like to see a framework agreed by the end of 2012. But the UK government view is that this is unlikely before 2014, meaning that a new law would not take effect before 2016. The cultural, regulatory and practical implications of the new framework are some way off yet.

However, the time is certainly right for better regulation. The current rules are 20 years old and businesses tend to focus on data security. Across the board more can be done to bring data protection in line with best practice and raise awareness about its implications. It’s an increasingly important consumer issue, and researchers should be at the forefront of understanding and shaping the new framework, not least because data collection and processing – and the insights generated from it – help increase knowledge and inform better policy, social and business decisions.

Barry Ryan is standards and policy manager at the Market Research Society. He was part of a panel that debated privacy in social media in August.