EU edges towards risk-based data protection | DMA

Filter By

Show All

Connect to


EU edges towards risk-based data protection

Legal header

The European Commission seems to favour a more risk-based approach to data protection, following lobbying from at least nine countries, including the UK, Germany, Sweden and Belgium. This would mean that organisations dealing with sensitive personal data (health records, for instance) would be subject to greater compliance obligations under the proposed EU Data Protection Regulation then, say, a hairdresser.

The idea is that the accidental leak or loss of sensitive data would have a greater impact on an individual’s privacy than simple name and address data a local business may hold on a person. The European Council of Minsters and the Commission have not yet agreed on how the risk would be determined, but it is likely that the size of the organisation will also be taken into account.

This is a welcome development and it is hoped that the Commission may make other changes to the proposal. The UK Government and the UK Information Commissioner’s Office (ICO) have previously criticised the European Commission’s proposal for being too prescriptive and not taking account of the risk posed by the type of personal information being processed. (Click here for the ICO’s most recent statement of on this.)

Pseudonymised data
The Council of Ministers is looking at whether data controllers and processors can benefit from reduced compliance obligations if the personal information is pseudonymised (where an organisation scrambles information to make the data record less personally identifiable but the data controller retains the ability to unscramble it). The DMA and other industry groups have been lobbying for compliance obligations to be reduced for pseudonymous data.

Differing approaches across the EU
Member States have different approaches with regards to certain aspects of a risk-based approach in the draft Regulation.

  • Data Protection Impact Assessments
    Organisations are required to carry out a data-protection impact assessment when introducing new methods of processing personal information which are likely to present specific risks to individuals. While Member States agree on the need for data protection impact assessments in such cases, some are questioning a provision in the draft Regulation, which requires an organisation to consult with the relevant national data protection authority where such an assessment reveals a high degree of specific privacy risks and prohibits an organisation from starting any data processing activities during this consultation period.
  • Appointment of a data protection officer
    All organisations with 250 employees or more are required to appoint a data protection officer. Some Member States believe that the appointment of a data protection officer should be optional rather than mandatory. They also suggest that organisations that appoint a data protection officer should be rewarded with lighter compliance obligations, as this would help to incentivise the appointment of such officers.
  • Codes of conduct and certification mechanisms
    The draft Regulation explicitly recognises codes of conduct and certification mechanisms. Several Member States consider that there is scope for linking approved code of conducts and certification mechanisms into the risk assessment process. This might mean that if an organisation signs up to an approved code of conduct, or its data processing operations have been certified, then it would not have to carry out data protection impact assessments.

Over 3,000 amendments to draft Regulation
MEPs have made over 3,000 amendments to the draft report from the Civil Liberties, Justice and Home Affairs Committee (LIBE), published in January 2013. The deadline for submitting amendments was the end of February. The LIBE Committee is now sifting through the amendments. The LIBE Committee is still planning to keep to the current timetable with a vote in committee in April and a debate on the floor of the European Parliament in June. FEDMA and the DMA are now reviewing the amendments.

What we can do to protect our industry
There is still time to lobby your regional MEP on the draft Regulation. The DMA has produced a lobbying kit.

The DMA will continue to lobby MEPs on this issue and is working closely with FEDMA and the UK Data Industry Group (made up of trade associations and clients from the advertising, marketing and communications sectors).

James Milligan, Solicitor, DMA

Hear more from the DMA

Please login to comment.


Related Articles

Economic pressures have plagued households for several years, with brands facing the challenge of engaging consumers who are more budget-conscious than ever before. As a result, brand loyalty has sharply declined, with 61% of consumers being less likely to stick with brands in 2023 compared to 41% in 2022.

Cost of Living Exit Strategy Report 20244

When thinking about sustainable marketing, often we think about the channels we use, or materials we use in a physical sense. We overlook things like the audience targeting, data cleanse & optimisation, which have a big impact on minimising wastage.


The telecom industry boasts an array of touchpoints, presenting both opportunities and challenges for marketers. Ensuring that campaigns not only resonate but also yield results is critical.


The telecommunications sector grapples with a pressing issue: customer data silos.

iStock-1180187740 600x400.jpg