1. Home
  2. Operations
  3. Control & Compliance in Operations

Companies unprepared for changing EU data privacy law – and penalties

Research by Truste has shown that many companies are unaware of the EU’s General Data Protection Regulation (GDPR), which will replace the existing national frameworks for data protection in each EU country.

The regulation aims to boost online privacy rights and strengthen the EU's digital economy. It will simplify how companies store and protect their data in the EU, improving customer confidence and, the EU estimates, save businesses around €2.3bn a year. The regulation will apply to all business, whether based in the EU or not, that process the date of EU citizens.

Companies found in breach of the data protection regulation could face a penalty of up to €100 million, or 2-5% of annual worldwide turnover, whichever is greater. Despite this, the study by Truste found that around half of all companies are unaware of the GDPR. A smaller group are more informed, however, and some have already started to budget for the necessary changes. Awareness was the highest among financial services companies (58%) and lowest among tech companies (43%).

Truste's CEO Chris Babel said: “Despite over four years of high profile negotiations, half of companies are still unaware and there is a worrying chasm between those who are actively preparing and those blind to the changes ahead.”

Two-thirds (65%) of companies aware of the GDPR are already starting to prepare for it. More than 80% have already allocated budget and one in five have allocated more than $0.5 million.

Almost three-quarters (73%) agreed that the GDPR is the most important change to data privacy legislation for 20 years. According to Truste, four out of five companies (82%) felt the changes would have a positive impact on consumer data protection.

There is no set time frame for the introduction of the GDPR but the final stages of trilogue discussions between the European Commission, European Parliament and the EU's Council of Ministers are due to be concluded in November or December 2015. EU Commissioner Vera Jourová has said that “we are on track to adopt the data protection reform in 2015”. Once the reform is agreed, it will be enacted within two years, so companies can expect to see it come into force at the end of 2017.

The main points of the GDPR are:

  • substantial new penalties of up to €100 million, or 2-5% of annual worldwide turnover, whichever is greater;
  • increased territorial scope, impacting more businesses including many outside the EU;
  • tighter requirements for obtaining valid consent to the processing of personal data;
  • new restrictions on profiling and targeted advertising;
  • new data breach reporting obligations;
  • direct legal compliance obligations for “data processors;” and
  • extended data protection rights for individuals, including the “right to be forgotten”.

Like this item? Get our Weekly Update newsletter. Subscribe today


This item appears in the following sections:
Operations
Control & Compliance in Operations

Also see