Knowledge

New EU Data Protection Regulations

14 Jan 2016 | Research & Business Knowledge

 

On the 15th December 2015 the EU Commission and Parliament agreed the wording for the new Data Protection Regulations and Directive (GDPR).  Getting to this point has been a painful process and taken three years of negotiation, but the final texts will be formally adopted by the European Parliament in early 2016 and come into effect two years later.

the reform focuses on two 'instruments' – the General Data Protection Regulation (to help people controle their personal data) and the Data Protection Directive (applicable to the police and criminal justice sector to protect victims, witnesses and suspects).

The changes will make it easier for people to access their own data, transfer it between service providers, be 'forgotten' when they want and be notified by companies if data has been hacked so that they can take appropriate action.  for businesses, the implications are slighlty wider:

  • One unified set of rules which will apply to all of business in the EU
  • One single supervisory authority across the EU
  • Companies based outside of Europe but operating/ offering services within the EU are also subject to the rules
  • Risk based approach to regulation/ enforcement
  • Data protection safeguards built into products and services from outset
  • Encouraging privacy friendly techniques (pseudonomysation) to enable big data but also protect privacy

Under the new rules, SMEs will benefit from significant reduction in red tape:

  • No longer need to Notifications to supervisory authorities, in the case of the UK, the ICO, are a formality that represents a cost for business of €130 million every year. The reform will scrap these entirely.
  • Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
  • SMEs are exempt from the obligation to appoint a data protection officer if data processing is not their core business activity.
  • SMEs will have no obligation to carry out an impact assessment unless there is a high risk.

Griffin House Consultancy has put together a video overview of the new rules and what it could mean for you – https://www.griffinhouseconsultancy.co.uk/resources/new-eu-data-protection-regulations-and-directive/

Menu