New EU data protection law to arrive in 2015 by Doug Drinkwater

30/01/2015 07:14

The European Union has indicated that the widely-awaited General Data Protection Regulation (GDPR) will come to fruition before the end of the year.

The European Commission
The European Commission

In a lengthy blog post issued yesterday, which was the ninth European Data Protection Day, vice president Andrus Ansip and Commissioner Vera Jourova said that the reforms would bring EU's data protection practices into the modern era.

“Citizens and businesses are waiting for the modernisation of data protection rules to catch up with the digital age,” they said in a statement. “New technologies are emerging fast and have enormous potential for our society and economy. This potential can only be fully realised if people can trust the way their personal data is used. Ensuring trust will allow the European Digital Single Market to live up to its full potential. EU data protection reform, which will cut red tape for business and ensure a single set of rules, is part of the solution.”

“EU Data Protection reform also includes new rules for police and criminal justice authorities when they exchange data across the EU. This is very timely, not least in light of the recent terrorist attacks in Paris. There is need to continue and to intensify our law enforcement cooperation. Robust data protection rules will foster more effective cooperation based on mutual trust.

“We must conclude the on-going negotiations on the data protection reform before the end of this year. By the 10th European Data Protection Day, we are confident that we will be able to say that the EU remains the global gold standard in the protection of personal data".

Stewart Room, privacy lawyer and partner at PwC, said in an email to that the news is encouraging, and urged businesses to get compliant.

“The joint statement expresses confidence and optimism that the EU data protection reform process will be completed by the time we reach the next Data Protection Day in 2016.  Of course, nothing is guaranteed, because the completion of the reforms requires the agreement of all the EU member states, but it does seem that the confidence and optimism is well placed: the reform process is much closer to its end than its beginning,” said Room.

“Clearly, businesses need to take action now, to assess the extent to which they may need to make adjustments to their business practices to meet the requirements of the new law.  They shouldn't leave this analysis until the political negotiations are complete, because they won't have enough time to make the required adjustments by the time the law actually comes into effect. 

Alessandro Porro, VP of international at Ipswitch, agreed with Room that IT and IT security professionals need to review the impending legislation, and adapt their businesses accordingly.

“GDPR includes an obligation to protect personal data across the border-less enterprise. IT professionals should review and bolster their data processing policies and practices now, before the regulation comes into effect.  

“A recent Ipswitch survey revealed that more than half (56 percent) of IT professionals in businesses could not accurately identify what ‘GDPR' means.  Over half of respondents (52 percent) admitted they were not ready for GDPR, and over a third (35 percent) confessed to not knowing whether their IT policies and process were up to the job. while only a mere 12 percent of respondents felt ready for the change.

The EU General Data Protection has been in the works for three years; in January 2012, the European Commission proposed a reform of the existing data protection rules – based on the 1995 data protection Directive - and set about drawing up a draft reform which established a framework for data protection within the 28 member states. Meanwhile, a draft Directive was published on the protection of personal data.

These proposals are currently being discussed by the two European Union co-legislators, the European Parliament and the Council of the EU, in which national ministers sit. To become law, the proposals must be approved by the Parliament, the Council and the Commission.

The changes will have a huge bearing on businesses as far as information compliance is concerned; breached businesses will be forced to pay fines of up to 5 percent of gross turnover or €100 million, report breaches within 72 hours (interestingly, the notice mentions “if feasible within 24 hours), and employ a data protection officer.

End-users also have more say, and can ask for their data to be transferred from one provider to another, vet how this data is used and even ask for data to be deleted through the ‘right to be forgotten' – which is already in practice under existing law after the landmark Google/ECJ ruling last May.

However, as evidenced by studies from Ipswitch, Trend Micro and – earlier this week – FireEye, a significant number of European firms are ignorant about the proposed changes.

Read more: