The new EU Data Protection Regulation

The text of the new EU General Data Protection Regulation has been finalised. Here's what every information professional needs to know.

<< back Page 2 of 2

Security Breaches

Under the DPA, even in the case of the most serious data breaches, there is no requirement to inform the ICO. Article 31 of the Regulation requires that, as soon as the Data Controller becomes aware that a personal data breach has occurred, it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO, unless the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification to the ICO and information may be provided in phases without undue further delay.

Furthermore Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms, in order to allow them to take the necessary precautions. This notification should describe the nature of the personal data breach as well as recommendations for the individual concerned to mitigate potential adverse effects. This should be done as soon as reasonably feasible, and in close cooperation with the ICO and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities).

Data Protection Officer

Section 4 of the Regulation introduces a statutory role of Data Protection Officer (DPO). Most organisations handling personal data, both Data Controllers and Data Processors, will require a DPO who will have a key role in ensuring compliance with the Regulation. A group of undertakings may appoint a single DPO provided that he/she is easily accessible. Public bodies may also have a single DPO for several such authorities or bodies, taking account of their organisational structure and size.

The European Parliament and Council will formally adopt the final text of the Regulation in the next few months. It will come into force two years thereafter. Training and awareness at all levels needs to start now.

Ibrahim Hasan is a solicitor and director of Act Now Training ( which runs workshops on the new Regulation throughout the UK.

<< back Page 2 of 2