Here comes the GDPR
The legal and regulatory environment of business is already tricky to navigate, and it’s going to get trickier because of the EU’s General Data Protection Regulation (GDPR). The GDPR is a law with both global impact and potentially significant consequences to any business that deals with European citizens’ data. This means that it will probably affect you and your business, so it’s good to get an understanding of what the law requires and by when to make sure that you’re ready for it when it takes effect on May 25, 2018.
The GDPR replaces both the older (from 1995) Directive 95/46/EC that focused on data protection and (from 2002) Directive 2002/58/EC which focused on privacy. The GDPR largely retains the principles and terminology of the 1995 Directive, but it also adds some new principles, like a stricter concept of consent, a requirement for data portability and the right to be forgotten. The GDPR has a broader scope that the previous Directives, both in terms of the number of organizations that it applies to and the types of data that it applies to. It also has tougher penalties for non-compliance.
Benefits to GDPR:
And while the GDPR may seem like a potential regulatory nightmare, it may have significant benefits to companies doing business in Europe. It may eliminate the many inconsistencies in the patchwork of national security and privacy laws that currently make it tricky to do business in Europe, and it may eliminate the costs associated with dealing with multiple data protection authorities. It may provide much-needed clarity around the use of newer technologies that many businesses now use, like social media, cloud computing, and big data. It may provide guidance for the use of newer ideas like behavioral economics and neuromarketing. And from the point of view of your customers, it will ensure greater protection for their personal data.
With the older Directives, a company without a legal establishment in an EU country was not subject to the Directives unless the company had employees or other presence (like servers) in an EU country. This changes under the GDPR, which applies to any business offering goods or services to individuals in the EU or collecting data on their behavior. So even a foreign-based web sites that either European customers or businesses use may become subject to the GDPR.
Businesses are routinely asked to make contractual representations and warranties of compliance with all applicable laws, and this can easily include the GDPR. And it is also very possible that EU regulators or courts may require that EU businesses stop doing business with foreign businesses that do not comply with the GDPR.
Penalties for Non-compliance
And if you directly do business in the EU, the penalties for non-complying with the GDPR can be significant – up to the greater of 20 million euros or 4 percent of the previous year’s sales. The typical company today has a profit margin of about 7.3 percent of sales, so a fine of that size can easily wipe out most of the profit for an entire year. It can even make the difference between operating in the black and operating in the red. So the GDPR is definitely a regulation to take seriously.
What’s required to comply with the GDPR? That will be subject of future posts.
To learn more about GDPR, download IDC’s whitepaper, Enabling GDPR Compliance Through Innovative Encryption AND Key Management Approaches, and listen to this webinar, GDPR: make compliance good for your business, with IDC’s Duncan Brown and HPE’s Tim Grieveson.