Data protection is currently the subject of intensive discussions at the European Parliament. A draft proposal for a regulation on data protection is being debated at the Committee of Civil Liberties in anticipation of an important plenary vote on the draft legislation in spring.

Maltese business is particularly concerned about the threshold of 500 data subjects

The draft regulation, unveiled by the European Commission in early 2012, will leverage a huge impact on the business community as a whole, as it will affect practically all businesses in every sector undertaking an activity in the EU.

The draft regulation introduces new rules stipulating companies would have to comply with a set of obligations related to the management of online personal data, the reinforcement of the ‘right to be forgotten’ and the accessibility to personal data once processed by companies.

From a business viewpoint, the compliance costs related to this new EU legislation heavily outweighs the announced savings that EU-based companies stand to gain through the implementation of a single set of rules on data protection, valid across the entire EU.

In practice, this means that companies will only have to deal with a single national data protection authority in the EU country where their head offices are located.

On the reverse side, the current debate in the European Parliament is adding more burdensome constraints to the already high compliance costs ushered in by the Commission’s original proposal. At a recent committee vote, a new burdensome obligation in the shape of the designation of a Data Protection Officer (DPO) has been introduced in the draft legislation. This obligation is particularly worrying as it only removes the exemption for SMEs regarding the hiring of a DPO, but it also prevents businesses from jointly shouldering the cost of hiring a single DPO.

The mandatory engagement of a data protection officer and the related compliance obligations in informing the data protection authorities on the handling of clients’ personal data is simply a disproportionate burden, effectively constituting a prohibitive financial cost especially for small businesses.

Maltese business is particularly concerned about the threshold of 500 data subjects, triggering the necessity for a company to designate a DPO to control and monitor the processing of personal data. The proposed threshold is certainly very low, as it would be easy even for a microenterprise to process data related to more than 500 data subjects a year.

Clearly the management of data constitutes a significant operational and cost challenge for all business categories. The amendments being steered at the European Parliament are based on the wrong precept of a ‘one-size fits-all approach’, side-lining completely the proportionality principle in so far as SMEs concerns with the regulation of data management are concerned. It therefore makes sense that the European Parliament re-introduces the SME exemption as originally included in the European Commission’s draft proposal.

This would ensure that the new data protection regulation does not translate into additional regulatory costs for business, which would ultimately defeat the very purpose of the new rules to be as effective and practical for the data subjects, businesses and the authorities alike.

For more information on EU business affairs, contact the Malta Business Bureau at info@mbb.org.mt or on 2125 1719.

Omar Cutajar is the Malta Business Bureau’s Permanent Delegate in Brussels.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.