Professional services firms have warned that businesses might struggle to adapt to recently agreed upon changes to EU data protection laws, which include fines of up to four per cent of annual global turnover for a breach.
Late yesterday evening, European Parliament and Council of the European Union negotiators agreed on a data protection package, designed to give consumers greater control over their private data and businesses greater legal certainty.
After it is fully approved, the General Data Protection Regulation, which forms part of the package, will become enforceable automatically across all the member states in two years.
Stewart Room, PwC partner and head of PwC Legal's data privacy and protection practice, today warned that businesses are not prepared for the complexity of the legal changes, especially as they are combined with the potential for pricey penalties.
"Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years - it is not much time for the magnitude of internal changes that will be required. Compliance costs will also be high, in some cases tens of millions of pounds, for large entities."
Meanwhile, Tanguy Van Overstraeten, partner and and global head of privacy and data protection at Linklaters, called the changes "the biggest shake-up to privacy regulation for 20 years", adding: "a step change in sanctions will make privacy a board level issue. Some businesses will need to start taking these issues a lot more seriously."
Mahisha Rupan, senior associate at law firm Kemp Little, pointed out that a fine of four per cent of turnover would represent a significant step-up for some businesses from the maximum £500,000 the UK currently imposes and urged firms not to rest on their laurels while the regulation is being implemented.
Rupan said: "This reform will have significant impact because almost all businesses collect and store personal information about customers, suppliers and service providers and employees, meaning that almost every business operating in the UK will need to take action to comply with the regulation."
The regulation is due to be voted on in the Civil Liberties committee tomorrow morning. If it is approved by the committee, parliament as a whole will vote on the draft law in the new year.