Photo © aey – Fotolia
(BRUSSELS) – With new EU data protection rules set to come into force on 25 May, the European Commission has published guidance to help Member States prepare for the changes and provide support to businesses.
The guidance outlines what the European Commission, national data protection authorities and national administrations still need to do to bring the preparation to a successful completion.
While the new regulation provides for a single set of rules directly applicable in all Member States, it will still require significant adjustments in certain aspects, such as amending existing laws by EU governments or setting up the European Data Protection Board by data protection authorities.
The guidance recalls the main innovations, opportunities opened up by the new rules, takes stock of the preparatory work already undertaken and outlines the work still ahead of the Commission, national data protection authorities and national administrations.
“In today’s world, the way we handle data will determine to a large extent our economic future and personal safety,” said Justice Commissioner Vera Jourova: “We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day.”
Since the adoption of the General Data Protection Regulation in May 2016, the Commission has actively engaged with all concerned actors – governments, national authorities, businesses, civil society – to prepare the application of the new rules.
Currently only two Member States have adopted the relevant national legislation. The Commission is warning the rest that they need to speed up adoption of national legislation and make sure the measures are in line with the Regulation. It says they should also ensure they equip their national authorities with the necessary financial and human resources to guarantee their independence and efficiency.
EUR 1.7 million of EU money is available to fund data protection authorities, and to train data protection professionals. A further EUR 2 million is available to support national authorities in reaching out to businesses, in particular SMEs.
A
new online practical online tool is launched today to help citizens, businesses, in particular SMEs, and other organisations to comply and benefit from the new data protection rules.
There will also be events organised across the EU to inform citizens about the impact of the Regulation.
The General Data Protection Regulation enables the free flow of data across the Digital Single Market. It will better protect the privacy of Europeans and reinforce trust and security for consumers, while at the same time opening up new opportunities for businesses, especially smaller ones.
The guidance recalls the main elements of the new data protection rules:
- One set of rules across the continent, guaranteeing legal certainty for businesses and the same data protection level across the EU for citizens.
- Same rules apply to all companies offering services in the EU, even if these companies are based outside the EU.
- Stronger and new rights for citizens: the right to information, access and the right to be forgotten are strengthened. A new right to data portability allows citizens to move their data from one company to the other. This will give companies new business opportunities.
- Stronger protection against data breaches: a company experiencing a data breach, which put individuals at risk, has to notify the data protection authority within 72 hours.
- Rules with teeth and deterrent fines: all data protection authorities will have the power to impose fines for up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover.
The Commission says it will continue to actively support Member States in the run up to 25 May, to help Data Protection Authorities and businesses ensure the reform is ready to enter into effect.
From May 2018, it will monitor how Member States apply the new rules and take appropriate action as necessary. One year after the Regulation enters into application (2019) the Commission will organise an event to take stock of different stakeholders’ experiences of implementing the Regulation. This will also feed into the report the Commission is required to produce by May 2020 on the evaluation and review of the Regulation.
General Data Protection Regulation - background guide
2018 reform of EU data protection rules – Commission guidance
