In three months, the new EU General Data Protection Regulation will come into force, but there’s a high level of uncertainty
On 25 May 2018, the new EU General Data Protection Regulation (GDPR) enters into force. It basically affects every company that stores customer data in digital form. The standardisation of the EU-wide data protection law aims to ensure better protection of personal data. The GDPR regulates how companies and public institutions must deal with personal data.
- should be able to obtain information on the data collected about them more easily and in terms that are easier to understand.
- can request that their data are transferred to a different provider (data portability).
- have the right to be forgotten; that is, all data must be deleted upon request if there are no legitimate reasons for saving their data.
- must be informed about data privacy violations faster and in a manner that is easier to understand. In the future, companies must inform the competent regulatory authorities about any incident within 72 hours.
According to a survey by the consulting firm EY published at the beginning of February, only 33% of the companies surveyed worldwide have a concrete plan for the implementation of EU regulations. In Europe, this figure is significantly higher at 66%, but there’s a lot of uncertainty here, too.
Concrete challenges in implementation
Because of the changes, the finance departments must document who has access to payment transaction data. To use their customers’ data, the companies must request individual permission from each individual customer. A general note in the terms and conditions is not sufficient. In the future, customer data that is no longer necessary for the fulfilment of the contract must be deleted or anonymised.
Reducing the amount of data stored makes it much harder for companies to do big data analytics. In addition, it’s not just the finance departments that are affected, but also the sales or personnel departments. These relationships must be documented by companies in a transparent, up-to-date manner, so that the necessary information can be provided in the event of any claims for damages by customers or inspections by authorities.
Fines for infringements can amount to up to € 20 million, or 4% of the world’s annual turnover. The severity of the action taken against infringements will vary from country to country, as it is not the central authority that is responsible, but the countries’ individual data protection authorities.
Experts expect certifications to play a bigger role in the future: A corresponding data protection seal proves that a company complies with the requirements of the EU GDPR and, depending on the certification, with additional national requirements in all data protection-relevant processes.
So far, data protection has often been a disadvantage for European companies, as non-EU providers have had an easy time with privacy issues.
Therefore, the new standard will have worldwide consequences: In fact, the measures requested don’t just apply to EU-based companies but also follow the marketplace principle. This means that all companies that market their products or services to EU citizens are subject to the new requirements and the extension of liability.
Please contact us if you are unsure how to implement the EU General Data Protection Regulation in your company. We’ll be glad to assist you with the professional implementation of data protection requirements.