The European Union’s far-reaching data privacy law, the General Data Protection Regulation (GDPR) will come into force on 25 May 2018. It brings with it a number of changes to the data privacy laws across Europe and places a significant burden on businesses to comply — and demonstrate compliance — with the new regime. However, a recent study found that 65% of companies are not ready for the GDPR. Are you one of the 35%, or do you still have some work to do?
Replacing a previous law called the Data Protection Directive, the GDRP is intended to harmonize data privacy rules across the EU. Key changes under the new regime include:
- A requirement for businesses to be transparent about what data they have and what they will do with it
- Enhanced rights for data subjects, including the right to request a copy of any data held, free of charge and in an electronic format
- The need for some organisations to appoint a compulsory Data Protection Officer
- A tightening in the way that consent to process a person’s data may be collected
- A new obligation to report breaches both to the regulator (in the UK’s case, the Information Commissioner’s Office) and to the data subjects
- Fines for non-compliance of 4% of worldwide turnover or €20 million
Businesses in Europe and companies that have operations and customers in the EU must be in compliance with the GDPR effective 25 May 2018 — there is no transition period. To cut through the myths and misconceptions about the law and ensure that you are following a sensible approach to compliance, contact your Ally Law cybersecurity and privacy lawyer.