Each organisation should be able to decide how to implement basic data protection principles, says former information commissioner

Former UK Information Commissioner calls for a 21st century European framework for data protection to address the realities of the digital world.

The former information commissioner Richard Thomas, now strategy adviser at Hunton & Williams and member of the Centre for Information Policy Leadership (CIPL), called for a modernisation of European data protection laws.

He said: “The pace of technological change is increasing both benefits and threats. Powerful devices, instant communications, more effective search and analytical tools and ever-cheaper data storage capacity create seemingly endless opportunities to gather and interpret information about us, our activities and our preferences.

“European data protection laws have a poor reputation for being bureaucratic, uncertain and burdensome. The new approach must find the ‘Holy Grail' of maximising effectiveness while minimising the burden.

Thomas was responding to the European Commission's current consultation on ‘A comprehensive approach to personal data protection', claiming that he was delighted that a review is under way but said that there is still a long way to go to draft balanced laws will work in practice when so much personal information can flow so easily around cyber space with no regard to national boundaries.

“Companies, government departments and other data controllers need to adopt privacy programmes to deliver genuine protection for the people they deal with. They should then be held directly accountable for the claims they make and the way they implement their programmes,” said Thomas.

“This is more realistic and less burdensome than expecting prior approval for specific activities from regulators. This approach also recognises that the legal paperwork, the technology and the staff management must all be addressed.  But ‘one size does not fit all' and each organisation should be able to decide for itself how best to implement the basic data protection principles in practice. If they get it wrong, businesses know that they pay a heavy price in financial, reputational and legal terms.”

Sign up to our newsletters