The UK government has this month issued a call for evidence on the current European data protection legislative framework, ahead of European-wide negotiations on an update of the European Data Protection Directive 95/46/EC due at the start of next year. Reforms could potentially have a significant impact on the data storage and access requirements for financial institutions and therefore entail a reworking of firms’ current data warehouses and EDM systems.
The UK’s call for evidence, which is open until 6 October 2010, is asking for general feedback on the current data privacy practices and recommendations for improvement. At the same time as this information gathering exercise, the government has also published a provisional post-implementation review impact assessment of the Data Protection Act 1998, on which it is also asking for comments.
The call for evidence has broken down the areas in which the government is seeking feedback upon into seven categories: definitions; data subjects’ rights; obligations of data controllers; powers and penalties of the Information Commissioner; the principles-based approach; exemptions under the Data Protection Act; and international transfers. In terms of impact, the move from a principles-based approach to a more prescriptive environment could potentially significantly alter financial institutions’ obligations and data management practices.
The politicians are keen to revise these requirements, however, as it has been 15 years since the European directive was passed and technology has moved on substantially since that time. The legislation will therefore need to take into account trends such as the storage of data in the cloud and mobile technology in order to better address data privacy risks posed by these technological innovations. The call for evidence notes: “It is important that any new legislative changes take into account the way technology is advancing, enabling it to be ‘future proofed’ as far as possible.”
Data managers will need to keep a close eye on developments, as they happen and feed back any recommendations to the relevant bodies in their jurisdictions in order to ensure data privacy requirements to not become overly prescriptive and difficult to navigate. The likelihood is that many new requirements will spring from the updated directive and these could mean extra security measures, but they could also mean the reworking of current EDM systems to separate different levels of data by the nature of its customer sensitivity.
