EU agrees to peg data breach fines at 4 per cent of global turnover

Also promises more support and less red tape for SMEs

The European Union agreed last night, as part of its ongoing talks around the General Data Protection Regulation (GDPR), that companies that break data protection regulations will face fines of up to four per cent of their global sales.

The GDPR, which is due to come into full effect from 2018 - but with specific new measures effective from 2016 - will, says the Commission, "enable people to better control their personal data".

"At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust."

Meanwhile, the Data Protection Directive, designed for the "police and criminal justice sector" will "ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action".

"At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe," the EC said.

The regulations, which are still in draft and have not been officially released in full, also promise "benefits for big and small alike", with cuts to "red tape" for European businesses, "especially for small and medium enterprises". The intention, said the EC, is to "help SMEs break into new markets" by removing the need to send notifications to supervisory authorities - at a reported cost of 130m euros every year, while at the same time allowing SMEs to charge a fee for providing access to data if requests are "unfounded or excessive".

SMEs also will not need to appoint data protection officers if the company's core activity is not data processing, while SMEs will also not be obliged to carry out impact assessments unless their company is considered high risk in this area.

Comparatively, the four per cent fine threat for larger companies is being seen as a much bigger stick.

"Individuals' personal data will be better protected, when processed for any law enforcement purpose including prevention of crime," said the EC.

"It will protect everyone - regardless of whether they are a victim, criminal or witness. All law enforcement processing in the Union must comply with the principles of necessity, proportionality and legality, with appropriate safeguards for the individuals. Supervision is ensured by independent national data protection authorities, and effective judicial remedies must be provided."

Mark Thompson, privacy practice leader at KPMG, said his firm is "pleased to see the EU is on the cusp of agreeing the GDPR, which is a significant overhaul of European privacy and data protection laws".

However, he acknowledged that many businesses have much work to do in order to reach early compliance.

"While there will be different concerns by each sector, we understand that sanctions could run as high as four per cent of a company's annual global turnover and, some of the new requirements such as breach notification requirements, the right to data portability, the right to have your data erased are likely to cause significant challenges for organisations to implement the rules effectively."

Companies, he said, will be required to "re-evaluate their privacy risk postures and take action" with the very real threat of huge fines hanging over their heads.

Richard Brown, director for channels and alliances in EMEA at Arbor Networks, also urged the industry to remain focused on their own particular objectives, rather than getting bogged down purely in compliance.

"As with all regulations it is important that organisations maintain their focus on the ‘goal', rather than purely on compliance. The impact of data-breaches on both business and the end-user can be significant and businesses need to ensure they are protecting themselves and their customers, not just trying to comply with the legislation," he said.

Meanwhile, techUK has added a layer of scepticism to proceedings, releasing an uncredited statement saying, "the big test will be whether Europe's consumers and citizens really do feel better informed and protected as a result of the new rules and whether Europe's businesses are able to stay at the forefront of digital innovation".

"Much will depend on the implementation of the Regulation and the role that Europe's Data Protection Authorities play in interpreting and applying the new rules. Time will tell whether this Regulation underpins or undermines Europe's ambitions for digital growth."