Lawyers are warning of substantial change following the European Union’s agreement last night to regulate data collection and punish companies that violate EU data protection laws with penalties of up to €1m or up to 4% of the global annual turnover of a company.
The EU’s new privacy legislation was agreed yesterday (15 December) by a trio of negotiating parties comprising the European Commission, the European Parliament and the Council of the European Union.
The reform package is designed to end the ‘patchwork’ of data protection rules that currently exist in the EU, while specifically the General Data Protection Regulation (GDPR) is aimed at protecting personal data while reducing red tape for firms. The reforms will see businesses only deal with one supervisory authority and create cost savings of €2.3bn a year.
The final texts will be formally adopted by the European Parliament and Council at the beginning of 2016, and then applied by data protection authorities over two years.
Baker & McKenzie privacy partner Dyann Heward-Mills told Legal Business that collectively the reforms add up to significant change.
‘Businesses need to implement privacy by design and by default – they need to be in a position to identify the who, where, what, when and why – information under their control and demonstrate they have a comprehensive understanding of data protection risk and they are taking measures to mitigate them.’
Olswang data protection head Ross McKean said: ‘GDPR is a paradigm change in the way that data collection and use is regulated. We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world.
He added: ‘The good news is that we have just over two years to prepare for the new regime. However in that time, organisations will need to completely transform the way they collect and use personal information. This is not a compliance or legal challenge; it is much more profound than that.’
Fieldfisher privacy, security and information group partner Phil Lee added: ‘If data protection hadn’t previously reached board level before, it’s about to now. Fundamentally, the regulation is about accountability. It’s about businesses not only being compliant, but being able to show they’re compliant.’
Subscribers can read how leading general counsel view data protection in: ‘The cyber security roundtable: Victims and visions.’