The new regulation could mean increased fines for data breaches and involve costly upgrades of IT systems, says Alison Deighton
All businesses that process data will be affected by the new Data Protection Regulation. In order to implement the new requirements, once they have been finalised, hoteliers and caterers will need to carry out a significant overhaul of their data policies and procedures.
It is now three years since the European Commission first published its plans to introduce a new Data Protection Regulation to replace the various national laws that exist across the 28 EU member states. The intention is for the regulation to have direct effect in all member states. This would mean that, in the UK, the Data Protection Act 1998 would be superseded by the regulation without the requirement for further legislation.
Progress towards implementation has been slow. In fact, the draft regulation is already the most amended piece of European legislation ever.
Further technical work is still required by the European Council over the coming months and current predictions are that the text will be finalised by spring 2016. Once the regulation is finalised, it will come into force two years after approval.
Although it is still not possible to say with any certainty what the specific changes will be, it is clear that significantly higher fines will be introduced if data breaches occur. The European Parliament is currently proposing maximum fines of €100m or 5% of annual worldwide turnover.
The current proposals also impose new legal obligations, such as a requirement to carry out data protection impact assessments and ensure ‘privacy by design' for new projects.
Individuals' rights are also expanded, which will require organisations to introduce new policies, procedures and training to ensure that such rights can be respected.
Leisure operators should start to consider what changes will be required to their internal procedures as soon as possible, particularly in relation to the following areas:
Data deletion The additional right for an individual to have all of their data deleted in certain circumstances will require businesses to ensure they can identify where all of theirdata is held and to categorise whether, and when, it needs to be deleted.
Profiling All procedures involving automated processing will have to be scrutinised carefullyand individuals will need to be informed of their rights to object.
Privacy notices These will need to be expanded to inform individuals about retention periods, their individual rights, their ability to complain to the Information Commissioner's Office (ICO) and the "legitimate grounds" under which data processing is permitted.
Breaches Breach management procedures will need to be put in place and staff trained to handle the new mandatory requirement to notify the ICO of any data security breaches.
Appointment of a DPO If they fall within certain criteria, businesses will need to appoint an expert data protection officer.
Although no date has been fixed for implementation, progress is being slowly made and the changes envisaged are now inevitable.
Leisure operators should therefore familiarise themselves with the proposed changes now, so they can identify the actions that will need to be taken over the next couple of years.
Alison Deighton is a partner at TLT Solicitors Alison.Deighton@TLTsolicitors.com