EU agrees new data protection law

european-union-155207_640It has just emerged that the EU has reached agreement on the much-anticipated General Data Protection Regulation (GDPR). (These are the new rules that will replace the UK’s Data Protection Act 1998).

The details of the new rules will become clear (allegedly) in early in 2016 and there will then be a two-year transition period, so that the new rules will come into effect in early 2018.

The press release from the European Commission claims that the reform “will allow people to regain control of their personal data” and “allow them to have trust when they give their personal data”.


Based on the press release from the European Commission, the key headlines are:


Fines can be imposed of up to 4% of annual global turnover for breaches of the rules – (lower than the 5% supported by the Parliament but double the level proposed by either the Commission or Member States) 

NB: For global Internet companies in particular, this could amount to billions


The new standard will be freely given, specific, informed and “unambiguous” consent – i.e. a clear affirmative indication – for processing of all data and “explicit” consent for the use of sensitive personal data. (There are concessions to the need for online consent to avoid being “unnecessarily disruptive”)

Breach notification

Data breach notification to the regulator for all organisations “without undue delay” – and where feasible within 72 hours.  Breaches unlikely to result in a risk to the rights and freedoms of data subjects do not need to be notified. The threshold for notifying affected individuals would be breaches likely to pose a high risk.

Supply chain

Joint and several liability for suppliers (data processors)


A requirement for the public sector and for private sector organisations engaged in large scale, systematic monitoring to appoint a data protection officer (but with flexibility for Member States to impose stricter DPO requirements).

European rules on European soil

Businesses based outside of Europe will have to apply the same rules when offering services in the EU.


Interestingly, the EC press release claims that the GDPR will stimulate economic growth by cutting costs and red tape for SMEs that “will help SMEs break into new markets”. These reductions in red tape are (as described in the press release): 

No more notifications: Notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely

Every penny counts: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access

Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity

Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

This means that:

The notification fee will be scrapped-with implications for funding the ICO 

The £10 fee for responding to subject access requests will be raised (in some circumstances for some organisations). 

Privacy Impact Assessments will only need to be carried out in limited circumstances. 


There is of course much more to say and much more to digest about these far-reaching reforms. 

Businesses have just over two years to gear up for profound changes in the way they collect and use data. The ICO has recommended making a start in the five key areas detailed here.     

DataHelp will be taking stock and providing practical analysis on key compliance issues in the New Year. 

Leave a Reply

Your email address will not be published. Required fields are marked *