News and Events

New data protection law agreed by EU

  • Posted

Guest blog by Robert Wassall

The EU has reached agreement on the new General Data Protection Regulation (GDPR), which will replace the UK’s Data Protection Act 1998.

The details of the new regulation will be clarified in early in 2016 and there will be a two year transition period before the rules will come into effect in early 2018.

The European Commission says in a press release that the GDPR, “will allow people to regain control of their personal data” and “allow them to have trust when they give their personal data”.

The key points

The European Commission issued a press release which highlighted the key points of the GDPR:

  • Fines - Can be imposed of up to 4% of annual global turnover for breaches of the rules – (lower than the 5% supported by the Parliament but double the level proposed by either the Commission or Member States). For global Internet companies in particular, this could amount to billions
  • Consent - The new standard will be freely given, specific, informed and “unambiguous” consent – i.e. a clear affirmative indication – for processing of all data and “explicit” consent for the use of sensitive personal data. (There are concessions to the need for online consent to avoid being “unnecessarily disruptive”)
  • Breach notification - Data breach notification to the regulator for all organisations “without undue delay” – and where feasible within 72 hours.  Breaches unlikely to result in a risk to the rights and freedoms of data subjects do not need to be notified. The threshold for notifying affected individuals would be breaches likely to pose a high risk
  • Supply chain - Joint and several liability for suppliers (data processors)
  • DPOs - A requirement for the public sector and for private sector organisations engaged in large scale, systematic monitoring to appoint a data protection officer (but with flexibility for Member States to impose stricter DPO requirements)
  • European rules on European soil - Businesses based outside of Europe will have to apply the same rules when offering services in the EU

Benefits for SMEs 

Interestingly, the European Commission press release claims that the GDPR will stimulate economic growth by cutting costs and red tape for SMEs that “will help SMEs break into new markets”. These reductions in red tape are: 

  • No more notifications - Notifications to supervisory authorities are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely
  • Every penny counts - Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access
  • Data Protection Officers - SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity
  • Impact Assessments - SMEs will have no obligation to carry out an impact assessment unless there is a high risk.


  • The notification fee will be scrapped with implications for funding the ICO 
  • The £10 fee for responding to subject access requests will be raised (in some circumstances for some organisations)
  • Privacy Impact Assessments will only need to be carried out in limited circumstances. 

Businesses have two years to gear up for profound changes in the way they collect and use data. The Information Commissioner's Office has recommended making a start in five key areas.     

If you would like advice about the new data protection laws, contact one of our team.