New data protection rules for Europe


The GDPR will also introduce new data protection requirements. For example, business will be required to:

  • appoint a data protection officer in certain circumstances (e.g. for companies processing sensitive data on a large scale)
  • notify data breaches to the relevant data protection authorit(y)(ies) within 72 hours. In certain circumstances the breach will even have to be notified to the affected data subjects.
  • conduct privacy impact assessments before carrying out high-risk data processing
  • build in privacy by design when processing personal data

As opposed to what is the case under the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).

One of the biggest changes are the penalties. The EU wants data protection to become a board-level issue. Therefore, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worlwide turnover.

The final texts will be formally adopted by the European Parliament and Council at the beginning of 2016. The new rules will become applicable in 2018.