EU edges towards risk-based data protection | DMA

Filter By

Show All
X

Connect to

X

EU edges towards risk-based data protection

Legal header

The European Commission seems to favour a more risk-based approach to data protection, following lobbying from at least nine countries, including the UK, Germany, Sweden and Belgium. This would mean that organisations dealing with sensitive personal data (health records, for instance) would be subject to greater compliance obligations under the proposed EU Data Protection Regulation then, say, a hairdresser.

The idea is that the accidental leak or loss of sensitive data would have a greater impact on an individual’s privacy than simple name and address data a local business may hold on a person. The European Council of Minsters and the Commission have not yet agreed on how the risk would be determined, but it is likely that the size of the organisation will also be taken into account.

This is a welcome development and it is hoped that the Commission may make other changes to the proposal. The UK Government and the UK Information Commissioner’s Office (ICO) have previously criticised the European Commission’s proposal for being too prescriptive and not taking account of the risk posed by the type of personal information being processed. (Click here for the ICO’s most recent statement of on this.)

Pseudonymised data
The Council of Ministers is looking at whether data controllers and processors can benefit from reduced compliance obligations if the personal information is pseudonymised (where an organisation scrambles information to make the data record less personally identifiable but the data controller retains the ability to unscramble it). The DMA and other industry groups have been lobbying for compliance obligations to be reduced for pseudonymous data.

Differing approaches across the EU
Member States have different approaches with regards to certain aspects of a risk-based approach in the draft Regulation.

  • Data Protection Impact Assessments
    Organisations are required to carry out a data-protection impact assessment when introducing new methods of processing personal information which are likely to present specific risks to individuals. While Member States agree on the need for data protection impact assessments in such cases, some are questioning a provision in the draft Regulation, which requires an organisation to consult with the relevant national data protection authority where such an assessment reveals a high degree of specific privacy risks and prohibits an organisation from starting any data processing activities during this consultation period.
  • Appointment of a data protection officer
    All organisations with 250 employees or more are required to appoint a data protection officer. Some Member States believe that the appointment of a data protection officer should be optional rather than mandatory. They also suggest that organisations that appoint a data protection officer should be rewarded with lighter compliance obligations, as this would help to incentivise the appointment of such officers.
  • Codes of conduct and certification mechanisms
    The draft Regulation explicitly recognises codes of conduct and certification mechanisms. Several Member States consider that there is scope for linking approved code of conducts and certification mechanisms into the risk assessment process. This might mean that if an organisation signs up to an approved code of conduct, or its data processing operations have been certified, then it would not have to carry out data protection impact assessments.

Over 3,000 amendments to draft Regulation
MEPs have made over 3,000 amendments to the draft report from the Civil Liberties, Justice and Home Affairs Committee (LIBE), published in January 2013. The deadline for submitting amendments was the end of February. The LIBE Committee is now sifting through the amendments. The LIBE Committee is still planning to keep to the current timetable with a vote in committee in April and a debate on the floor of the European Parliament in June. FEDMA and the DMA are now reviewing the amendments.

What we can do to protect our industry
There is still time to lobby your regional MEP on the draft Regulation. The DMA has produced a lobbying kit.

The DMA will continue to lobby MEPs on this issue and is working closely with FEDMA and the UK Data Industry Group (made up of trade associations and clients from the advertising, marketing and communications sectors).

James Milligan, Solicitor, DMA

Hear more from the DMA

Please login to comment.

Comments

Related Articles

Businesses must be ethical in their telemarketing practices to protect customers from unwanted, intrusive, or deceptive calls, ensuring their privacy and well-being are respected. Read how

Depositphotos_718680692_S.jpg

This article is written by MBA Group Ltd.

priscilla-du-preez-tAnrp8P51tY-unsplash.jpg

As abandoned baskets reach the highest levels in a decade, how can you make sure your customers successfully checkout?

hero-man-thinking-about-making-a-purchase.webp
As Black Friday approaches, marketers face pressure to captivate customers. The '23 season showed how brands use real-time data, AI, and dynamic content to tailor their messaging and boost engagement. Learn from them to shape your strategy.
iStock-1661657038.jpg