"Many, if not the large majority, of SMEs will be exempted from the obligation to appoint a data protection officer," said Reding in a press conference detailing the EU data protection reform. In addition, small companies will be exempt from producing reports of their data protection policies, and from performing obligatory data privacy impact assessments, unless they deal with high risk information such as biometric, genetic or data on children. "Think small first when you regulate," Reding said. "Help the young companies to become big. Help them to do their job and not to be drowned by administrative burdens." The new data protection laws announced by Reding contained few other surprises after the preview she provided earlier at the Innovation Conference Digital, Life, Design in Munich. Under the new regulations, all companies and organisations must notify the national supervisory authority and affected citizens, of any serious data breaches "as soon as possible", which Reding said to her means within 24 hours. There will also be a single set of rules on data protection that will apply across the whole of the EU, instead of individual rules in each of the 27 member states. For example, companies will no longer have to notify multiple data protection authorities, which Reding said will save businesses around €2.3 billion a year. Furthermore, organisations will only have to deal with a single national data protection authority in the EU country where they are mainly based. "One rule for 27 member states and 500 million people. One data protection authority for one company. One authorisation for the whole of the European Union," said Reding. The new EU data protection laws will also require organisations to write privacy policies in clear and plain language so that citizens know how their data will be used. Citizens will also have to give their explicit consent to organisations for their information to be used, and will have the right to delete their data and move their data from one provider to another. "Data portability will improve the competition among services," Reding said. Meanwhile, Reding hopes to strengthen the power of independent national data protection authorities, such as the Data Protection Commissioner in Ireland The data protection authorities will be able to issue fines to companies that violate the EU data protection rules, which can lead to penalties of up to €1 million, or up to two per cent of the global annual turnover of a company. Reding's proposals will now be discussed by the European Parliament and EU member states, and changes will come into effect two years after they have been adopted.