Yesterday (15 December) the European Institutions reached a long awaited agreement in trilogues on the subject of Data Protection. A revision of the existing data protection rules was long overdue as online technology has made huge leaps whilst data protection rules had remained unchanged for two decades. Bringing these rules up to speed with tech developments is crucial.
However, ESBA has been pressing the European Commission and particularly the European Parliament on the dangers of obliging all companies, large and small to hire or appoint a data protection officer, as well as having to undertake unnecessary and costly impact assessments. Large corporations and data intensive small businesses should be held responsible for the manner in which they process and manage their data as it is imperative that the privacy of the individual citizen is safeguarded. However, for those SMEs that do not handle data as a core activity, subjecting them to these expensive and time consuming rules is disproportionately burdensome, putting micro companies and startups in particular in a financially vulnerable position.
ESBA is very pleased to see that the institutions have taken these points on board and have agreed to exempt non data-driven SMEs from impact assessments and data protection officers. We encourage the Institutions to formally adopt the text as agreed yesterday, which is scheduled for the beginning of 2016.