Skip to navigation
The European Commission has published its proposed reforms of European data protection legislation in its draft General Data Protection Regulation.
Hans Allnutt, associate at international law firm DAC Beachcroft commented: "The regulation will significantly change the data protection regime for UK and European organisations. Organisations suffering a personal data breach (for example, as a result of a hacking incident) will have to notify the data regulator within 24 hours of establishing a breach. They must also notify any affected individual without "undue delay". Those which fail to do so, intentionally or negligently, may face fines of up to EUR1,000,000 or 2% of annual turnover. The regulation also expressly provides for affected persons to claim compensation from those organisations in breach of the regulation and for the local regulator to conduct investigations on its own initiative.”
The European Parliament and Council are expected to adopt the regulation by the end of 2012 after which member states will have two years to prepare before the regulation takes legal effect.
“While it could take until 2015 for these provisions to become law, having this legislation in the pipeline will add to the growing awareness of the risks associated with the loss of personal data,” Allnutt added. “Many organisations already routinely notify data breaches on a voluntary basis and private sector notifications were up 58% in the UK in 2011.
“Compulsory breach notification was a key factor in the growth of the cyber risk insurance market in the Unites States and the same may be expected in the UK and EU. Insurers can expect to see heightened interest in cyber risk products in the coming years."