Did you know that the EU data protection regulation could mean a €2.3bn boost for business? Here are 10 ways the EU General Data Protection Regulation (GDPR) will change things for businesses that process customer data in the EU.
Last month the European Parliament adopted the EU GDPR and companies have two years – until 25 May 2018 – to comply with the changes. Those who don't meet the requirements face steep fines and huge reputational risk if they are found to be negligent in protecting their customers' data. The financial penalties for non-compliance have been set at up to 4 per cent of global turnover or €20 million, depending which is greater.
The GDPR will give individuals more control over their personal online data, including “the right to be forgotten online”. So what does this mean for companies, how will they benefit and what steps do they need to take between now and May 2018? Here are 10 ways in which the GDPR will change things for businesses that manage personal data in the EU:
1. Saving €130 million a year
First and foremost, the GDPR is a simplification of European data protection laws. Until last month, there were 28 different data protection laws in force in EU countries. The GDPR replaces them and removes the cost and administrative burden of having to inform national data protection authorities about what data your company is processing when accessing new markets. This alone costs businesses about €130 million a year, according to the European Parliament.
2. A level playing field
Consistent regulations on data protection mean that businesses and individuals in the EU are all subject to or entitled to the same standards and requirements.
3. Establishing trust
A large factor in the GDPR is the trust we have in those who hold our data, whether in a B2B or B2C relationship, and the reputational risk that companies face if there is a data security breach. Consistent rules across the EU should encourage more trust in how entities hold and process data.
4. Business benefits of €2.3 billion per year
An overall goal of the data protection regulation is to remove obstacles to cross-border trade and to enable easier expansion of businesses across Europe. The European Parliament has estimated that the benefits from removing this barrier to trade could be in the region of €2.3 billion a year.
5. Incentive for innovation
The need to protect data will incentivise companies to innovate and develop new ideas, methods and technologies for security and protection of personal data.
6. Obligation to provide data portability
Customers will have the right to 'data portability', meaning that individuals are allowed to move their personal data from one service provider to another. This will enable start-ups and smaller businesses to access data markets dominated by much bigger digital giants and attract more consumers with privacy-friendly solutions. It also means that companies will be obliged to provide data in a standardised digital format.
7. Hiring a data protection officer
Larger companies may be obliged to appoint a data protection officer – but the majority of small and medium-sized enterprises (SMEs) will not have to do this.
8. Data Protection Impact Assessments
Some companies and entities will have to carry out Data Protection Impact Assessments (DPIAs), although this will only apply in cases of very risky data processing activities (for example, personal data in large scale filing systems on children, genetic data or biometric data).
9. Non-EU companies still have to comply
Businesses not based in the EU will still have to comply with the GDPR if they deal with the personal data of EU customers. Failure to do so could result in sanctions.
10. Broader definition of personal data
Under the GDPR, the definition of personal data is broader, so that more elements of data – such as those relating to the genetic, mental, economic, cultural or social identity of an individual – come within the regulation's remit.
Like this item? Get our Weekly Update newsletter. Subscribe today