The European Commission, The European Parliament and the European Council have reached an agreement on the new General Data Protection Regulation. The Regulation is expected to be formally adopted in the beginning of 2016, and will come into effect two years hereafter. 

The new General Data Protection Regulation will, inter alia, involve:

  • Much larger fines for breaches – up to EUR 20 million or 4 % of global turnover,
  • Obligation to appoint a Data Protection Officer for larger companies,
  • Intensified rules and increased requirements, including, inter alia, increased information on how data is processed and commitment to “forget” (permanently erase) all information concerning a person upon request,
  • Notification to the national supervisory authority of serious breach (for example if individual’s information has been hacked) within 72 hours, and
  • Development of compliance program/regulation for larger companies.

All companies processing personal data – whether it is a data controller or only processing data on behalf of others (data processor) – will be covered by the regulation. Companies established outside the EU will also be covered if they offer services in the EU and thus processing personal data of EU citizens. 

The overall objective is to ensure individuals’ control over their personal data. It is also the purpose that the General Data Protection Regulation will stimulate economic growth, and, particularly for SMEs, reduce the administrative burdens and costs for European businesses.

For groups of companies and companies that operate across the EU, the new regulation also entails that the organization only needs to deal with one set of rules and one supervisory authority (instead of 28 as of today), and they will compete on a level playing field (in relation to data protection) with companies established outside the EU.

Also, the current application and notification requirements will in general completely disappear. There can, however, continue to be national rules, for example Denmark’s obligation to notify the processing of personal data as part of administration of personnel.  

We encourage all businesses to start the implementation of the necessary changes.