Another widespread concern has been the regulation’s requirement that companies report breaches in 24 hours, says Harriet Pearson, a partner at Hogan Lovells. In many U.S. states, companies are given 45 to 60 days. But “there’s been a fairly unanimous reaction to the 24-hour window as being extremely unreasonable and impossible to meet” in all but a few instances. It can be time-consuming to conduct a proper investigation.
The committee also raised concerns about the manner in which changes are being proposed. In addition to the new regulation, which mainly addresses substantive data privacy matters, a separate directive, which pertains to judicial matters, has also been released. Unlike the regulation, the directive would have to be approved and assimilated by individual nations before it went into effect. The committee said it would need to clarify how the directive would affect current police powers and how the country would reconcile differing provisions in the legal instruments over time and as court decisions separately affected them. One committee suggestion would be for the EC to create more consistency between the two proposals “from the outset.”
For its part, the EC has said it will continue to work towards reducing administrative burdens. In a recent speech to EU ministers, Vivane Reding, the EC’s justice minister, noted that such businesses are already exempt from certain requirements, including one requiring organizations to hire a data protection officer. Reding said the Commission is prepared to look at whether the SME (small- and medium-sized enterprise) exemption could be broadened to other areas and whether there could be more flexibility for such organizations based on factors such as the sensitivity and quantity of processed data.
But she said such considerations wouldn’t, for now, extend to larger organizations. “Let's be frank: we should not fall into the trap of some lobbyists expressing concerns for SMEs but in fact referring to provisions relevant for large multinational firms.”