Political agreement has been reached on an EU-wide data protection law designed to create a 'one-stop shop', with a common set of rules applying across the continent. This will effectively replace the UK's current Data Protection Act.
The law bites on any area in which a business processes data on individuals (eg, customers, suppliers, users of a website). But it is probably in relation to employees that businesses process most data, in terms of both its range and quantity.
Importantly, the regime is backed up by a much fiercer penalty regime than presently applies. The maximum penalty for non-compliance will be €20m or 4% of an undertaking's worldwide turnover, if that is higher. This is likely to focus minds at board level in most organisations.
While the new legislation will not be implemented until 2018, extensive forward planning and preparation will be required. From the top down, organisations need to embrace a culture of taking data protection responsibilities seriously and should start identifying the policies, processes and training they will need to put in place to ensure compliance.
Michael Burd and James Davies work at Lewis Silkin LLP solicitors. Email them at: employment@lewissilkin.com
