EU DP Regulations likely to take a more risk-based approach
The EU draft DP Regulations should take a more risk-based approach, the EU Data Protection Authorities (DPAs) say. The EU Art. 29 DP Working Party considers that some of the provisions in the proposed Regulation may pose a burden on some controllers; all obligations should therefore be scalable. However, data subjects should have the same level of protection, regardless of the size of the organisation or the amount of data it processes, the DPAs say.
The Data Protection Commissioners' views are reflected in the most recent EU Council's Presidency note of 22 February, which says that where the risk to personal data is higher, more detailed obligations would be justified. For example, many of the articles relating to controller and processor obligations, data security and privacy impact assessments are now being redrafted to be more risk-based.
See EU Art 29 DP Working Party's statement about the current discussions on the EU DP framework.