New EU data protection laws could be a "real headache" for UK charities if implemented in their current form, an intellectual property lawyer has warned.
Mike Gardner, head of intellectual property at the law firm Wedlake Bell, said he was telling charity clients they should prepare for the laws before they come into force, which is expected to happen between March and September next year.
The draft regulation, first proposed in 2012 to update and strengthen the Data Protection Directive, was adopted almost unanimously by the European Parliament in March and is making its way through the EU legislative process.
Gardner cited the proposed obligation for any organisation with more than 250 employees to appoint a data protection officer as an example of how difficult the changes could be for charities, saying it would be an "organisational and administrative nightmare" to comply with this rule alone.
"Unless UK plc voices its concern over the new rules from Brussels, it could mean a real headache for UK businesses and charities," he said. "UK charities must prepare for these changes – doing nothing is not an option."
Asked how an existing charity employee could become a data protection officer, Gardner said that no guidance had been provided on how to achieve this status, simply that the person would need to be "suitably qualified" and understand data protection laws. He said this was an unrealistic ambition, given that only a few hundred lawyers were familiar with this area.
He said the application of this rule to organisations with 250 employees was an arbitrary requirement that took no account of how much personal information an organisation had under its control.
Gardner referred to well-publicised data protection breaches by charities such as the British Pregnancy Advisory Service, which was was fined £200,000 earlier this year after a hacker gained access to the personal details of almost 10,000 people on its website
He said these cases had already had very serious consequences for the sector from both a reputational and a financial perspective. If the new EU laws were implemented in their existing form, he said, charities would face increasing costs and scrutiny and more serious penalties if they got it wrong.
Some of the main proposals are: introducing fines from data protection authorities of up to €1m (£780,000) or 2 per cent of annual worldwide turnover; bringing in a duty to confess, which will mean that charities will need to notify the authorities of a data breach within 24 hours of becoming aware of it and also notify the individuals whose personal data was affected; and specifying that any charity holding data on any person would have to gain explicit consent if they wished to use that data in any way.