By Aleksander Kalisz

Since 1999, the laws governing data protection at the European level have remained largely stagnant. The existing regime pertains mainly to data controllers – those who collect personal information. On the other hand, data processors – those who service information – are normally excluded from these regulations.[1] In addition, the current regime has glaring loopholes- relatively low penalties, indefinite data retention periods and the lack of safeguards for individuals who provide consent to store personal data are amongst some of the defects.

The framework for human rights is set out in the European Convention on Human Rights (ECHR), which is regarded as ‘the floor’ of EU’s human rights policies. [2]  Through Article 8 of the ECHR, data protection laws need to take into account people’s right to a private life, and this is frequently integrated into policies set by the European Union (EU). The European Court of Justice(ECJ) has even stated that the EU could and should ‘go beyond’ the ECHR by adapting more extensive protection measures. Taking these into account, it is hardly surprising that the EU has opted for the strengthening of its laws in the field of data protection, especially in light of the mass data thefts of 2016.[3]

Thus, this new legislation on data protection – General Data Protection Regulation (GDPR), which comes into force on 25th May 2018, is a logical step for the EU to take. This incoming legislation introduces extensive changes, and businesses handling personal data are advised to undergo preparations over a period of 12 – 15 months in order to comply.[4] The Regulation will also be integrated into the laws of the United Kingdom after Brexit via a new data protection bill.[5] The GDPR introduces new regulations in a number of areas, the most significant of which are discussed below.

  1. The Expanded Territorial Reach

The GDPR will apply to data processors and controllers who are located outside the EU and target EU citizens with their services. These provisions may therefore impose significant expenses on foreign companies. As such, with these rising expenses, non-European companies might not find it profitable to target EU consumers.

  1. Data Protection Officers (DPOs)

In certain circumstances, the Regulation requires both data processors and controllers to designate a DPO, who will be responsible for data protection law compliance within the company. This requirement will apply to businesses that meet these three criteria: (1) the core activity is handling personal data; (2) the processing must be conducted by a public authority; and (3) the nature of the data must be of a type which requires systematic monitoring.

The major criterion will be the quantity of data going through a company rather than the company’s size – though the two may go hand in hand. Hence, this policy is likely to impact small businesses which handle an extensive amount of data, since it may be expensive to headhunt and employ such an officer. However, it is unlikely to impact other types of businesses such as those in online retail as most will not satisfy the requirement on the quantity of data.

  1. Consent Policy, Individual’s Rights

Under the GDPR, consent to use an individual’s personal data must be specific, informed, freely given, , and unambiguous. The consent form should also be made in clear, plain language and distinguished from other terms in the document.[6] In other words, ticking a box on a lengthy online document may not suffice. Similarly, implied consent will not be accepted.

Furthermore, an individual has a right to be forgotten. There is an obligation on the company to erase personal data if requested. Finally, an individual also has a right to object to the use of his personal data for marketing purposes, and any such attempt must be explicitly brought to his attention. As such, there is an implied requirement that data companies need to have the information appropriately filed in order to respond to individuals’ requests.

  1. Fines and Data Breach Notifications

The European Data Protection Agency (DPA) must be notified of a personal data breach within 72 hours of the company becoming aware of the incident. 72 hours provides a very short window for businesses to recognise an incident as a breach of personal data. Rather, this policy is targeted at allowing the DPA and national regulators to respond to a crisis quickly.

As such, this requirement may not be viable for both large and small businesses operating with vast quantities of data – the breach might simply be untraceable or hard to classify. Research by Hartford Steam Boiler, a speciality insurer, showed that 55% of small companies have experienced a data breach.[7] Due to the ubiquity of this problem, many firms may fail to submit a report in time – large companies because of the sheer amount of data they use and smaller companies as they are often the primary targets of hacking attacks. On the whole, this policy indirectly demand that companies tighten their data security or face the threat of penalty for non-compliance.

In the event of a breach of regulations, the DPA can impose a fine of up to £20 million or 4% of the company’s global turnover – whichever is higher. This is a significant increase in the penalty cap which is currently set at £500,000.


To conclude, it is clear that data protection will be much safer under the new regulations. However, there may be a disproportionate impact on smaller businesses, in particular data processors, as they are burdened with expensive and impractical requirements. The largest of companies will also be impacted by both the draconian penalties that are imposed for a breach and the implied need to pay constant attention when handling data. It remains to be seen whether the GDPR will fix the legal loopholes of the previous regulations. that any practical issues will be addressed and clarified at a national level – such as the exact meaning of bringing individuals’ rights “explicitly” to their attention. As a result, an undeniable weakness of the GDPR is the assumption that the system it creates will work perfectly. The biggest challenges may be the companies’ abilities to identify and protect from breaches as well as collaboration with the regulators.

Despite the significant reforms, the Deputy Commissioner of the Information Commissioner’s Office nonetheless labelled them as evolutionary rather than revolutionary. Are the regulations merely adjustments of the current rules? It is certainly clear that implementing the Regulation will not be simple. While it is true that the GDPR builds upon previous regulations, the Commissioner might have underestimated the practical consequences of enforcing the policy, which remain to be seen. Compliance with the previous regulations will stand businesses in good stead: businesses which have diligently implemented previous regulations will find it easier and cheaper to adjust to the GDPR since their expenses and necessary actions will have already been regulated.


Photo Credit..


[1] Aliya Ram, ‘Tech sector struggles to prepare for new EU data protection laws’ (Financial Times, 30 August 2017) <> accessed: 03.10.2017.

[2] Craig, De Burca, EU Law – Text, Cases and Materials (6th edition, Oxford University Press 2015) 381.

[3] Aliya Ram, ‘Tech sector struggles to prepare for new EU data protection laws’ (Financial Times, 30 August 2017) <> accessed: 03.10.2017.

[4] Matthew Holman, ‘Next Year Under New Data Protection Regulations’ (EMW Law, 26 May 2017) <https://> accessed: 03.10.2017.

[5] Aliya Ram, ‘Tech sector struggles to prepare for new EU data protection laws’ (Financial Times, 30 August 2017) <> accessed: 03.10.2017.

[6] Allen & Overy, ‘The EU General Data Protection Regulation’ (Allen & Overy, 2017) < SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf> accessed: 04.10.2017.

[7] Hartford Stream Broilers, ‘Small Businesses, Big Data Breach Exposures’ (Munich RE, 2013) <https://> accessed: 05.10.2017.