The “right to be forgotten” will likely be one of the most challenging parts of the proposal in many cases, says Frank Maher, a partner at the law firm Legal Risk, based in Liverpool. In just one example, “you may send your [curriculum vitae to a company], and it then may be in a few people’s inboxes as well as in backup storage,” which could make the information challenging to track and delete.
The reforms also increase the penalties for data breaches. Under the new rules, organizations could be fined up to one million euros or 2 percent of the organization’s annual revenue. This increase is significant, Gelly notes, as the largest fine of a European company has been about 100,000 euros (about $132,000). Organizations with more than 250 employees will have to appoint a data protection officer.
Organizations may want to consider complying with parts of the rules even though they are not yet required to, says Feiler. “It’s still a proposal, but generally speaking, I think it could be wise to get ahead of the development and really make a point of being as good a corporate citizen as possible.” One strategy could be to focus on the parts of the regulation “that make [the best] business sense.”
One of the first steps organizations should take in preparing for the changes is to conduct a risk assessment, says Maher. This includes identifying what the risks are of “losing or keeping data and then addressing [those risks].”
Experts note that the proposed changes could be a boon to international commerce because the new regime will provide more consistency by introducing one set of rules for the continent. That would simplify the process of getting the authorization needed to transfer data across international borders, says Gelly. Gaining such authorization under the current rules can “take weeks or months,” she says.
Due to reduced administrative, compliance, and other costs, it is estimated that the new rules will save European businesses a considerable amount, about 2.3 billion euros (or about $3 billion) annually, according to the European Commission. At the same time, it is hoped that the initiative “will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs, and innovation in Europe,” according to a Commission statement.
The European Commission has said that it is aiming to pass the changes in 2012, but many are skeptical that it will be able to meet that deadline. One reason it will be hard to pass is that European nations tend to differ on how they view privacy and data protection, Grant says. She also cites other EU priorities, including significant financial issues. That said, if the proposal is accepted by the EU, Grant says it is likely the rules will quickly be ratified, as many nations are eager to come to a common agreement on new rules.