Skip to content

EU approves plan to overhaul data protection rules

European Union

EU negotiators yesterday agreed on new data protection rules that will see heavy fines levied on companies that suffer data breaches.

The European Commission struck an agreement with the European Parliament and the European Council over the EU Data Protection Reform, which was first put forward in January 2012.

Under the new rules, the same data protection rights will apply across the EU, regardless of where users’ data is processed.

Two parts

The reform consists of two parts: the General Data Protection Regulation (GDPR) and the Data Protection Directive.

Under the GDPR, people will have better control over their personal data. It will also enable businesses to make the most of the Digital Single Market due to a reduction in red tape and an increase in consumer trust, the European Commission claims.

The Data Protection Directive, aimed at the police and criminal justice sector, will ensure the data of victims, witnesses and crime suspects is adequately protected during criminal investigations and law enforcement action. It will also lead to the cross-border cooperation of police and prosecutors.

The changes

The regulations will enable individuals to have more control over their personal data. They will receive more information on how their data is processed and easily be able to transfer it between service providers. Individuals will also have the right to know when their data has been hacked.

According to the European Commission, businesses will save an estimated €2.3bn (£1.7bn) per year as they will only have to deal with a single supervisory authority within Europe.

It also claims the data protection reform will help SMEs break into new markets, due to a reduction in red tape.

These companies will be able to charge a fee for providing access to data where the requests are unfounded or excessive, plus they will be exempt from having to appoint a data protection officer, so long as data processing is not their core business activity.

Additionally, SMEs will not be obliged to carry out impact assessments, unless there is a high risk.

Regulation overhaul

Mark Thompson, privacy practice leader at KPMG, labelled the GDPR a “significant overhaul of European privacy and data protection laws”.

He went on to say a number of organisations have a lot of work to do in order to become compliant in time for the launch of the regulations in 2018.

“While there will be different concerns by each sector, we understand that sanctions could run as high as 4% of a company’s annual global turnover and, some of the new requirements … are likely to cause significant challenges for organisations to implement the rules effectively,” Thompson added.

The final document detailing the regulation is to be released in the New Year, when the finer points and their impact will become clearer.

“Assuming that member states give the green light and the last few hurdles are passed, privacy will be catapulted up the list of global organisations’ enterprise risks, requiring them to re-evaluate their privacy risk postures and take action,” said Thompson.


Phil Lee, partner in the privacy, security and information group at European law firm Fieldfisher, claimed the regulation represents the most significant development in data protection that Europe, possibly even the world, has seen in the past 20 years.

“Forget Safe Harbour and Right to be Forgotten – this is much, much more significant,” he added.

Lee went on to say the regulation will certainly see data protection concerns reach board level within companies.

“Fundamentally, the regulation is about accountability. It’s about businesses not only being compliant, but being able to show they’re compliant,” he concluded.