12 March 2014

The European Commission's data protection reform consists of three main innovations:

1. One continent, one law: The Regulation will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.

2. One-stop-shop: The Regulation will establish a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.

3. The same rules for all companies – regardless of their establishment: Today European companies have to adhere to stricter standards than their competitors established outside the EU but also doing business on our Single Market. With the reform, companies based outside of Europe will have to apply the same rules. European regulators will be equipped with strong powers to enforce this: data protection authorities will be able to fine companies who do not comply with EU rules with up to 100 000 000 EUR or up to 2% of their global annual turnover. SMEs will not be fined for a first and non-intentional breach of the rules

The data protection reform will strengthen citizens' rights and thereby help restore trust. Better data protection rules mean you can be more confident about how your personal data is treated, particularly online. The new rules will put citizens back in control of their data, notably through:

• A right to be forgotten: When you no longer want your data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. This is about empowering individuals, not about erasing past events or restricting freedom of the press.

• Easier access to your own data: A right to data portability will make it easier for you to transfer your personal data between service providers.

• Putting you in control: When your consent is required to process your data, you must be asked to give it explicitly. It cannot be assumed. Saying nothing is not the same thing as saying yes. Businesses and organisations will also need to inform you without undue delay about data breaches that could adversely affect you.

• Data protection first, not an afterthought: ‘Privacy by design’ and ‘privacy by default’ will also become essential principles in EU data protection rules – this means that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm – for example on social networks.

SMEs will benefit from four reductions in red tape:

• Data Protection Officers: SMEs (with less than 250 employees) are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.

• No more notifications: Notifications to supervisory authorities are a formality and red tape that represents a cost for business of 130 million euro every year. The reform will scrap these entirely.

• Every penny counts: Where requests to access data are excessive or repetitive, SMEs will be able to charge a fee for providing access.

• Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a specific risk.

Actions Required:

• Review your Information Asset Register: Ensure that the register clearly identifies what data is held where, how and why. Remember that you cannot store any customer data that does not serve a specific purpose.
• Review your Privacy Policies: Consider re-writing policies as they must be written in plain English.
• Review Processes and Procedures: Ensure that data subject and deletion requests can be handled effectively.