Christmas came early for the European Commission, as a multi-year effort to reform the continent’s aging data protection framework was finally agreed upon with the European Parliament and Council, which will significantly change the compliance obligations for businesses across the world that process and transfer personal data on data subjects within the 28 member states of the European Union. Late on Tuesday, December 15, 2015, the European Commission issued a press release which can be read here.
The General Data Protection Regulation, which will likely become effective in early 2018, will reduce much of the red tape that companies deal with when processing personal data on EU data subjects. Reforms include establishing one single set of rules which will make it simpler and less costly for companies to do business in the EU and providing for one-stop-shop so businesses will only have to deal with one single supervisory authority.
The General Data Protection Regulation also will reduce some of the compliance burden for small and medium enterprises by eliminating notifications to supervisory authorities and exempting them from the obligation to appoint a data protection officer or perform impact assessments unless the core business is data processing or there is a high risk to the personal data processed.
With the reform though will come some major obligations, including a reinforced “right to be forgotten,” and a shortened timeframe to notify supervisory authorities and data subjects when there is a major data breach. Further, for serious violations of the new regulation, potential sanctions can reach 4 percent of a company’s global revenue.
Lastly, where the old directive generally exempted companies that processed personal data from EU data subjects but did not have a physical presence in the EU, now the new rules will apply even if personal data is processed by companies that are active in the EU market but lack a physical presence.
Companies that are processing personal data on EU data subjects should start planning for these reformed rules to determine an appropriate and measured strategy for compliance. More information about the reformed rules can be found on the European Commission website here.