EU data protection reforms agreed: gear up for compliance by 2018

United KingdomAustriaBelgiumBulgariaCzech RepublicFranceGermanyHungaryItalyLuxembourgNetherlandsPolandPortugalRomaniaScotlandSlovakiaSpain

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

Yesterday evening, after almost four years of negotiations, EU institutions reached a compromise on the General Data Protection Regulation. Businesses need to gear up for a paradigm change in the way they collect and use data. The reforms still need to be officially ratified by EU Member States and by the European Parliament, and the final official text will take some weeks to emerge. In the meantime, the Council’s analysis of the final compromise text has been leaked to the Statewatch website, which gives a good indication of the final text. Olswang will be analysing the final text in more detail in due course, but in the meantime the headlines, based on the leaked Council document, include:


  • Fines of up to 4% of annual global turnover for breaches of the rules.
  • Consent: The new standard will be freely given, specific, informed and “unambiguous” consent – i.e. a clear affirmative indication – for processing of all data and “explicit” consent for the use of sensitive personal data. There are concessions to the need for online consent to avoid being “unnecessarily disruptive”.
  • Breach notification: Data breach notification to the regulator for all organisations “without undue delay” – and where feasible within 72 hours. Breaches unlikely to result in a risk to the rights and freedoms of data subjects do not need to be notified. The threshold for notifying affected individuals would be breaches likely to pose a high risk.
  • Profiling and children's data: Tougher restrictions on the use of profiling and the collection and use of under 16s data, which will require parental consent (and reasonable efforts to verify), but with flexibility for Member States to lower the threshold to 13.
  • Supply chain: joint and several liability for suppliers (data processors).
  • DPOs: A requirement for the public sector and for private sector organisations engaged in large scale, systematic monitoring to appoint a data protection officer (but with flexibility for Member States to impose stricter DPO requirements).
  • Other key obligations: more exacting requirements for organisations to ensure privacy by design and by default and to document their compliance with the new regime.

The Commission’s press release – which is short on the detail on the key practical obligations – is hereherehere and the European Parliament’s press release is . The leaked text of the Council’s analysis of the final compromise text with a view to agreement is .

Comment and next steps

The compromise agreed on Tuesday night now has to go back to the Council and the European Parliament for formal ratification, and then the text will have to be translated and formally adopted in the New Year.

The new rules will have direct effect from early 2018 – two years from the date of formal adoption and publication of the Regulation. Businesses have time to prepare, but there is much work to do. We have now moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world. Data permeates everything that we do in our digital lives and touches all organisations. However in that time, organisations will need to completely transform the way they collect and use personal information. This is not a compliance or legal challenge; it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information.

To help clients make the transition, Olswang will be providing practical analysis of key aspects of the new regime in the New Year. We will also be hosting events and webinars to bring our clients up to speed on the changes they will need to implement.

For more information please contact:

Ross McKean, Partner, UK: +44 20 7067 3378
Andreas Splittgerber, Partner, Germany: +49 89 206028-404
Sylvie Rousseau, Partner, France and Belgium: +32 2 641 1272; +32 476 96 77 72
Blanca Escribano, Partner, Madrid: +34 91 187 1924