Organisations with more than 250 employees will have to designate a data protection officer to ensure that they deal with the personal information of staff and customers correctly, under reforms proposed by the European Commission.
The Commission aims to enhance the accountability of European organisations that process data by introducing the requirement for large employers and those that gather personal information through the course of their business to appoint data protection officers.
Under the proposals, the “patchwork” of data protection laws and reporting requirements across Europe will be replaced with a single set of rules for all 27 member states.
According to Viviane Reding, vice-president of the Commission, the reforms will eliminate unnecessary administrative burden for businesses, saving them around €2.3 billion per year.
She commented: “Businesses are worried because they are faced with many varied, sometimes contradictory data protection requirements, due to different national laws, due to different ways the national data protection authorities apply these laws, and they are also confronted with a load of notification requirements.
“This leads to legal uncertainty, to legal fragmentation and it makes it difficult for companies, most of all those innovative start-ups … to do business in the European single market. This is a real extra cost, a real extra burden on our companies.”
Before the changes come into force, the Commission will work with the European Parliament and the European Council to agree a framework for the data protection reforms. This is expected to be completed by the end of 2012.
Other measures proposed by the Commission include an obligation for those who control data to notify authorities of breaches and a system which would make it easier for individuals to control their own personal data.
Full details on the proposed changes to individual control of data and security breaches can be found in XpertHR’s summary of the data protection reforms.