New EU General Data Protection Regulation Much Stricter
The EU’s General Data Protection Regulation, which will enter into effect next year on May 25, 2018, affects essentially any company that stores customer data in digital form. Standardizing the data protection legislation across the EU should provide better protection of personal data while guaranteeing the free movement of data within the European single market.
This new standard will also have global consequences: The required measures relate not only to companies based in the EU but are rather based on the principle of lex loci solutionis, or the law of the place where the relevant performance is carried out. This means any company that markets its products or services to EU citizens is subject to the new requirements.
Since these are much stricter and more complex than Directive 95/46/EC, which has been in effect until now, IT departments and data protection officers, in particular, should now start to prepare and ensure their companies’ compliance with the new legislation.
Most Important Innovations
The new key elements of the General Data Protection Regulation (GDPR) stipulate that in the future customers
- should be able to obtain information on the data collected about them more easily and in terms that are easier to understand.
- can request that their data are transferred to a different provider (data portability).
- have the right to be forgotten; that is, all data must be deleted upon request if there are no legitimate reasons for saving their data.
- must be informed about data privacy violations faster and in a manner that is easier to understand. In the future, companies must inform the competent regulatory authorities about any incident within 72 hours.
Extensive Adaptations Required on the Part of Companies
To meet all these requirements, companies must optimize their processes at multiple levels. First, they must carry out an inventory of where and in which form customer data are saved within the company. This can be a daunting task in times of more flexible forms of work and IT systems that are becoming increasingly mobile.
In addition, new procedures for handling data must be introduced company-wide and their compliance must be verified. In this respect, it can be useful to automate certain processes. The General Data Protection Regulation requires the introduction of the concept of privacy by design, that is, including strict data protection at the initial stages and throughout the entire scope of a project.
Harsh Penalties in Case of Non-Compliance
It is clear that the EU is quite serious about data protection when looking at the penalties that will be in force for failure to comply with the new regulation. Companies risk up to 4% of their global profit or up to 20 million euros.
An additional incentive for rapid and rigorous compliance with the new regulation could also be the high risk of litigation. In the event of data protection violations in the future, not only could stakeholders and consumer protection organizations bring collective actions. Competitors may complain of unfair competition. At any rate, companies should not wait to implement the EU’s General Data Protection Regulation, but rather approach it head on.