Brussels’ chiefs have caved in over plans to force companies which process personal data – virtually all businesses these days – to hire dedicated data protection officers, potentially saving the industry tens of millions of pounds.
The early Christmas present for the industry follows intense lobbying from both the UK marketing sector – led by the DMA – and the Ministry of Justice.
At the moment, any firm processing personal data need only have a data controller, whose data responsibilities are normally just part of their role. They must also be registered with the Information Commissioner’s Office; for the vast majority of firms this costs just £35 a year; for those with a turnover of more than £25.9m, the fee is £500.
The call for each company to appoint a dedicated data protection officer (DPO) – which could command a salary of up £60,000 a year – was heavily backed by MEPs.
However, the EU Council came out against the proposal. Now, according to a leaked Council presidency document, a compromise has been reached which means only those processing data on a massive scale or those holding highly personal information such as a person’s race, ethnicity, political or religious views or details of their health or sex life will have to hire a DPO.
The document, which is full of the usual Brussels gobbledygook, states: businesses whose “core activities consist of [personal data] processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of the data subjects on a large scale” would be under an obligation to appoint a DPO.
Meanwhile businesses whose “core activities consist of processing on a large scale of special categories of data and data relating to criminal convictions and offences” would also be required to appoint a DPO, under the plans.
Public bodies would also be required to appoint a DPO, where they process personal data, according to the document.
Even then, a DPO could be shared by businesses operating in the same group or across several public bodies. A person employed as a DPO would also be able to do other tasks and duties.
In its original submission to the EU back in 2013, the Ministry of Justice said: “The Government does not believe that the requirement to have a data protection officer is necessary… and we believe there are other means of achieving the accountability principle.”
EU data reforms already ‘out of date’
Firms left in lurch over EU reforms
Digital body rages over EU reforms
EU to thrash out data reforms at last
‘Gutted’ EU reforms bring DM cheer
New year cheer as EU laws stall again
EC digital and data chiefs get all-clear
Unknown Czech to seal industry fate
EU law ‘final nail in list broker coffin’
New EU chief slams data law critics
EU chiefs calm fears over opt-in