EU overhaul of data legislation: the countdown begins

Businesses are being reminded that one year from today, the European Union’s (EU) General Data Protection Regulation (GDPR) will be enacted, radically transforming the relationship that businesses have with personal data through a raft of new obligations and consumer rights.

Described as “the most lobbied piece of legislation in history”, the GDPR imposes a set of requirements on the way firms collect, store, process and protect the personal information of customers, clients and employees in response to the swift development of the digital economy.

Among the many changes, the GDPR will introduce new, explicit definitions of consent along together with consumer rights to erase, rectify and transfer data, and a common data breach notification requirement.

“For consumers, the GDPR affords them a number of additional protections regarding their data and really gives them a say in how this data is managed and used,” said Gé Drossaert, group chief commercial officer (CCO) and board member at Fidor, the digital banking software provider.

“Meanwhile, for financial institutions, with GDPR they face a regulatory landscape which is more complex and which ultimately increases their costs as they try to get ready before May 2018. However, crucially, GDPR also creates a significant opportunity for banks to become more transparent in their business practices, which can only enhance the trust levels with their customers.”

The issue of whether the GDPR will be applicable to firms in the UK once the country ceases to be a member of the EU was addressed last year by the government’s secretary of state for culture, media and sport, Karen Bradley.

The UK will still be a member when the regulation is enacted next May and Bradley confirmed that it would be “expected and quite normal for us to opt into the GDPR”. Beyond that the government would “look how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Failure to comply could lead to fines of up to €20m or 4% of a firm’s turnover. A recent survey suggested that many chief information security officers (CISOs) have made GDPR compliance an investment priority for the coming year.

However, an independent survey from security software provider Varonis Systems, which polled 500 IT decision makers in the UK, US, France and Germany, found that three in four firms believed they would struggle to meet the May 25 2018 deadline. In addition, 42% said that compliance wasn’t a priority for their business.

“With the prolific rise in the use of data in today’s society, GDPR will have a massive impact on firms all over the world,” said Christopher Burke, chief executive officer (CEO) of management and technology consultancy Brickendon. “Companies that handle client data now have clearly defined obligations and failure to comply could lead to hefty fines and possible law suits.

“The key is to act now and ensure you know what areas of your business will be affected, what changes need to be made and how you are going to facilitate those changes. Careful consideration at this stage will avoid the need for costly changes and the possibility of reputational damage at a later stage.”


Related reading