Businesses face considerable upheaval and fines of up to 2% of their global annual turnover if they breach new proposed EU data laws.

A new Regulation proposed by the European Commission today is set to replace the existing 1995 Data Protection Directive and follows several years of consultation intended to update existing data protection rules and achieve a greater degree of harmonisation across Europe. If passed, the draft regulation will apply across all EU member states without the need for any domestic implementing legislation.

According to Heledd Lloyd-Jones, a lawyer and regulatory law specialist with Morgan Cole, the draft regulation will result in considerable change for businesses:

"These proposed Regulation will amount to a significant change in the detail of the law and are likely to bring with them considerable upheaval for businesses. While some of the proposed changes will bring welcome clarity in certain areas there will be a need for companies to review, and in many cases overhaul their policies, procedures, systems and staff training. There will also be challenges in terms of ensuring IT systems are set up in a way that enables organisations to comply with new rights, including ffor example, a new "right to be forgotten."

"Without doubt, the proposed changes would increase compliance costs and the regulatory burden for businesses. They would also limit the current scope there is for businesses to use personal information for certain purposes, for example marketing, without consent. In addition there will be a whole new category of organisations that will become subject to the law directly because the Regulations would apply not only to data controllers but also to their contractors. They would have a steep learning curve because many of them are not subject to the current legislation."

"The proposed penalty regime is a tough one; the intention is to ensure that data protection compliance is taken much more seriously across all sectors. A fine of up to 2% of annual turnover is a cost that no business can afford, particularly in the current climate."

The draft regulation retain many of the features of existing data protection law but seeks to strengthen the rights of individuals and extend the role and powers of regulators. Key features include:

• A duty to report data breaches to the regulator and to affected individuals within 24 hours
• A new right to be forgotten; organisations will have a duty to comply with requests for the deletion of personal data unless there are legitimate grounds for retention. Individuals will also acquire a new right to "data portability", entitling them to obtain copies of their electronic or digital data in a commonly used, reusable format
• A new regime of financial penalties, with regulators gaining powers to impose fines of up to 1 million Euro or 2% of global turnover in most serious cases
• Obligations in the case of larger organisations to appoint a suitably qualified, named Data Protection Officer, with a guaranteed minimum two year tem of appointment, who will be responsible for compliance; companies will be obliged to make sufficient resource available to this officer to enable him or her to comply with his or her obligations
• An end to the use of implied consent as a basis for handling personal data. Under the draft Regulations, organisations will have to obtain explicit consent unless there is some other legitimate basis for handling personal data without consent. Significantly for organisations that currently rely on consent opt out arrangements, the draft regulations specifically provide that silence or inactivity will be insufficient to constitute consent. In addition the regulations prohibit the use of personal data for commercial marketing purposes in the absence of explicit consent
• Obligations to provide individuals with additional information about the use of their data, including storage periods and information about international data transfers 
• New obligations on contractors who are engaged to handle personal data on behalf of data controllers; under the Regulations, data processors will become directly liable to fines and compensation claims if they breach data protection rules.

Heledd Lloyd-Jones finishes: "There is no need for businesses to take any immediate action as a result of today’s announcement but it does make good commercial sense to consider what changes will be required and the impact of introduction of the new regulations."