GDPR, a new legal framework, was approved in the European Union in April 2016, after a seven-year journey from idea to implementation. The regulation addresses consumer rights and data privacy in relation to business conducted in EU member states.
Decoding GDPR is a global struggle, after the EU commission decided the regulation will apply to all businesses handling the personal data of European citizens, not just to EU-based companies. In short, any company doing business in Europe or online with EU citizens must be GDPR-compliant by May 2018.
While 77 percent of US corporations said they would completely reconsider their business strategies and invest between $1 million and $10 million on GDPR compliance, 32 percent threaten to reduce their presence in Europe and 26 percent will allegedly leave the market, found a PwC pulse survey in December 2016.
What kind of data falls under GDPR protection? Absolutely all information, fragmented or not, that, put together, can lead to identifying a person, including name, address, identification number, web location, IP address, cookies, RFID tags, biometrics, health records, political views and sexual orientation.
Are businesses right to be scared of GDPR compliance costs and the aftermath when it takes effect? Or is there just a lot of confusion around terminology that leaves room for interpretation? The stakes are high now that companies have figured out how valuable user data is for the global economy, especially for monetization.
With most left confused about what “reasonable” level of security actually means, one thing is certain: any company doing business in Europe has to figure it out by May of next year or non-compliance will bring some costly fines.
Companies undergoing GDPR preparations have named privacy policies, information security, GDPR gap assessment and third-party risk management as their top priorities, found PwC.
Although all businesses have to comply, it doesn’t mean fines worth millions will automatically start pouring in May 2018. Fines can go up to 4 percent of the company’s turnover or as high as 20 million euros, whichever is highest.
Replacing the 1995 directive, GDPR is the next logical step in internet security, finally turning data protection into a priority for all businesses. Although there are similarities between GDPR and UK’s Data Protection Act of 1998, the new, more aggressive, framework will also be enforced in the UK and will not be affected by the country’s decision to leave the EU.
UK Information Commissioner Elizabeth Denham believes a lot of false information has been spread lately, on purpose, to confuse organizations.
“The ICO’s commitment to guiding, advising and educating organizations about how to comply with the law will not change under the GDPR,” she writes. “We have always preferred the carrot to the stick. Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.”
GDPR is not the only law to attempt to safeguard data, but it is a significant improvement because it is directly applicable across all EU member states, unlike the 1995 directive that had to be inserted into each state’s national legislation. Some businesses have already taken measures to protect user data, so concerns apply to those who have so far been oblivious to what is going on in the industry.
“The law is not about fines. It’s about putting the consumer and citizen first,” Denham adds, as she calls for “greater transparency, enhanced rights for citizens and increased accountability.”