EU Data Protection Reform - The removal of red tape for SMEs 

December, 2017 - Pamela Morris

One step closer to implementation of the reforms relating to EU data protection regulation, this article looks at some of the implications that the reforms are likely to have for SMEs.

Key progress was made in the reform of EU data protection regulation on 12 March 2014 with the European Parliament voting in support of reform and the draft General Data Protection Regulation (the "Regulation").

The Regulation must now be adopted by the Council of Ministers in order to become law. At the earliest, this is expected to take place at the end of this year, with the deadline for member states to bring the Regulation into effect by 2016.

The reforms aim to bring the existing 19 year old principles into line with the modern data protection environment and to address the ever increasing conflict between online and digital data processing, on one hand and the right of individuals to retain control over their personal data, on the other.

There will also be a benefit for organisations that operate across international borders in having a consistent system for data protection regulation throughout the EU - one law, as opposed to 28!


The European Parliament also took the opportunity to enhance the protections in the Regulation with a view to restoring consumer trust. For example, to provide better protection against surveillance, organisations will need authorisation from the relevant national data protection authority before providing any EU citizen's personal data to another jurisdiction.

One of the aims of the Regulation is to move towards a privacy by design approach, as part of which, organisations will need to build safeguards into their structures and operations from an early stage in order to comply with the Regulation. This, along with a number of the other reforms, will require organisations to start taking action in readiness for the changes coming into effect.

The Regulation provides that EU data protection authorities (such as the Information Commissioner's Office ("the ICO") in the UK) will have the power to fine organisations who fail to comply, based on their global annual turnover. The European Commission had proposed fines of up to 2% of the global annual turnover of the organisation in breach. However, MEPs have now increased this to #100 million or 5% of global annual turnover, whichever is greater.

What about SMEs

The new focus is aimed at improving the level of control that individuals' have over their personal data whilst at the same time encouraging growth amongst European businesses by reducing red tape and its associated costs. This appears at first glance to be a contradiction, however, some exemptions from the Regulation's provisions have been made for SMEs:

Data Protection Officers - If data processing is not a SMEs core business activity it will not be required to appoint a data protection officer.

No more notifications - the obligation to notify annually will be removed entirely and, as such, organisations will not be required to complete this task or pay the costs associated with it.

Fees - Organisations will be able to charge a fee for excessive or repetitive requests to access data.

Impact Assessments - Unless there is a specific risk SMEs will not be obliged to carry out an impact assessment.

In addition to these exemptions, having one consistent approach to regulation across the EU should stimulate growth amongst SMEs, particularly as it should become easier to:

establish an office or branch in another EU country

employ local staff

deal with subsequent flows of personal data across jurisdictions

The Regulation is also intended to be applied in a flexible way and, we are informed, will take a risk based approach. In particular, it is envisaged that the rules will be applied taking account of risk so as to ensure that SMEs processing small amounts of personal data, are not treated in the same way as a large multinational processing significant amounts of personal data. One example given by the European Commission is that SMEs would not be fined for an initial non intentional breach.

What about the UK?

The ICO has recently published its corporate plan for 2014-2017 (the "Plan") which includes objectives relating to the publishing of greater detail on the outcome of complaints as well as monitoring response times to subject access requests.

In the interim therefore it is clear that organisations will need to continue to ensure that they are operating in compliance with the Data Protection Act 1998.

The Plan does however also refer to preparation for the implementation of the Regulation which the ICO considers will require "substantial change". The ICO is expected to publish further guidance in October this year.


Link to article


WSG Member: Please login to add your comment.