EU Privacy Overhaul: Small Businesses Get Exemptions

Information Commissioner may also be given power to increase fines

Most start-ups and small businesses with fewer than 250 employees will be exempt from a new obligation to appoint a data protection officer, according to the European Union's (EU) new data privacy proposals.

Viviane Reding, vice-president of the European Commission, announced this as an example of how the EU plans to reduce the administrative burden on small companies, to help them grow.

"Many, if not the large majority, of SMEs will be exempted from the obligation to appoint a data protection officer," said Reding in a press conference today detailing the EU data protection reform.

In addition, small companies will be exempt from producing reports of their data protection policies, and from performing obligatory data privacy impact assessments, unless they deal with high risk information such as biometric, genetic or data on children.

"Think small first when you regulate," Reding said. "Help the young companies to become big. Help them to do their job and not to be drowned by administrative burdens."

The new data protection laws announced by Reding today contained few few other surprises after the preview she provided earlier this week at the Innovation Conference Digital, Life, Design in Munich.

Under the new regulations, all companies and organisations must notify the national supervisory authority and affected citizens, of any serious data breaches "as soon as possible", which Reding said to her means within 24 hours.

There will also be a single set of rules on data protection that will apply across the whole of the EU, instead of individual rules in each of the 27 member states.

For example, companies will no longer have to notify multiple data protection authorities, which Reding said will save businesses around 2.3 billion a year.

Furthermore, organisations will only have to deal with a single national data protection authority in the EU country where they are mainly based.

"One rule for 27 member states and 500 million people. One data protection authority for one company. One authorisation for the whole of the European Union," said Reding.

The new EU data protection laws will also require organisations to write privacy policies in clear and plain language so that citizens know how their data will be used.

Citizens will also have to give their explicit consent to organisations for their information to be used, and will have the right to delete their data and move their data from one provider to another.

"Data portability will improve the competition among services," Reding said.

Meanwhile, Reding hopes to strengthen the power of independent national data protection authorities, which, in the UK, is the Information Commissioner's Office (ICO).

The data protection authorities will be able to issue fines to companies that violate the EU data protection rules, which can lead to penalties of up to 1 million (APS831,000), or up to two percent of the global annual turnover of a company.

The ICO currently has the power to issue fines of up to APS500,000.

Reding's proposals will now be discussed by the European Parliament and EU member states, and changes will come into effect two years after they have been adopted.

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.