In June 2015 the EU Council, Parliament and Commission began negotiations with a timetable aimed at the adoption of a final proposal by the end of 2015 (and by implication the coming into force of the new law by the end of 2017).
Some of the key proposals are:
- When consent is required to process personal data people must be asked to give it explicitly; it cannot be assumed. (Saying nothing is not the same thing as saying yes).
- Data controllers must tell people without undue delay about data breaches that could adversely affect them.
- Any ‘significant’ loss of unencrypted personal data must be notified to the ICO within 72 hours.
- Processors must notify data controller immediately any data loss confirmed
- The max fine available to the ICO to be increased to between 2% and 5% of turnover
NB: These are just some of the proposals under consideration.