GDPR finally approved by European Parliament

It has taken four years for the new EU data protection regulation to be finalised

The European Parliament has finally approved the new General Data Protection Regulation (GDPR), after four years of debate and disagreements.

It is likely that it will take at least two years before the laws start being enforced - giving businesses time to ensure they are prepared.

The GDPR brings a single, EU-wide data protection law to the statute books with some notable components.

These includes fines of up to four per cent of global turnover for data breaches, and more stringent requirements on collecting and using data for marketing purposes, and enshrines the Right to be Forgotten and data portability for citizens.

Andrus Ansip, vice president in charge of the Digital Single Market at the European Commission, explained that the move will boost economic growth in Europe by giving firms a clearer set of data protection regulations.

"The new rules will ensure that the fundamental right to personal data protection is guaranteed for all," he said.

"The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules."

The law has now been approved but it will be some time before it becomes binding. The European Parliament said that nations have two years to transpose the new laws onto their statute books.

Nevertheless, Phil Lee, data protection partner at Fieldfisher, described the final approval of the new data protection regulation as an "historic" day.

"Europe has adopted its new data protection laws and these will raise the bar right across Europe - and quite possibly worldwide - for the protection of individuals' fundamental privacy rights," he said.

However, Lee added that the new law benefits individuals more than businesses, and that some of the requirements are somewhat onerous on firms.

"Many of the rules introduce significant new burdens for businesses that will be keenly felt for years to come," he said.

"Whatever else may be said about it, the simple fact is that the global standard for data protection will now be dictated by European rules."

Of course, while the laws have been passed, the UK could leave the European Union after the referendum, which opens up myriad questions about whether UK firms will be affected by the new laws.

The advice from lawyers thus far has been for organisations to start preparing for the new law as if the UK will remain in Europe, rather than playing a wait-and-see game.