EU General Data Protection Regulation to be finalised this week

Biggest change in data protection laws for 20 years set to come into force in 2018

The European Union's General Data Protection Regulation (GDPR), along with a new Data Protection Directive for police and criminal justice authorities, are expected to be finalised this week.

It follows the endorsement of EU national governments in a vote of the Council of Ministers last week, with the European Parliament set to vote the measures through this week.

"The Regulation provides for a single set of rules, valid across the EU and applicable both to European and non-European companies offering online services in the EU," claimed the Council of Ministers in a statement released following the vote.

It continued: "This avoids a situation where conflicting national data protection rules might disrupt the cross-border exchange of data. It also provides for increased cooperation between member states to ensure coherent application of the data protection rules across the EU.

"With a view to reducing administrative costs, the regulation applies a risk-based approach: data controllers can implement measures according to the risk involved in the data processing operations they perform. Different businesses have different activities and the risks of such activities in terms of privacy can vary. The regulation does not set out a one-size-fits all solution: the stronger the risks of the activities for the personal data, the more stringent the obligations."

Kuan Hon, a data protection law expert and consultant lawyer at law firm Pinsent Masons, warned that organisations need to start preparing for the GDPR now.

"With the European Parliament looking set to approve this package next week, and a lead time of only two years before the Regulation takes effect directly in all member states, organisations will need to start preparing now for what will be the biggest change to data protection laws in over 20 years," she said.

One of the key benefits of the Regulation will be the one-stop shop principle, whereby organisations operating across the EU will only need to be accountable to one data protection authority.

The use of a "regulation" instead of a "directive" means that the Regulation translates directly into member states' legal systems. A directive, by contrast, needs to be translated into national legislation and then voted on by national parliaments. As a result, directives can end up looking very different when implemented across the EU.