The General Data Protection Regulation (GDPR) has been adopted by the European Parliament and will come into force in 2018.

When the GDPR takes effect it will replace the data protection directive (Directive 95/46/EC) from 1995. The implementation of the GDPR will require comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).The proposed new legislation introduced in the EU General Data Protection Regulation will give new requirements on how your business data is processed, who is responsible, and what happens if it is lost.

“‘Data protection by design and by default’ will become an essential principle. It will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data. Used in conjunction with data protection impact assessments, businesses will have effective tools to create technological and organisational solutions.”

Radical changes to EU Data Protection

An organisation needs to take responsibility for owning the data it processes, with accountability and risk going right up to the board. And until you take ownership, you put personal data at risk.  Cost of breaches is about to skyrocket, with fines potentially total 4% of annual worldwide turnover, to a cap of €20m.  The countdown is on, start getting ready now:

  1. If you have over 250 employees, you need a data protection officer to act as the focal point for all data protection activities;
  2. Refresh your information asset register so it clearly identifies what data is held, where, how and why – this may need a rethink as it may not be so obvious;
  3. Your privacy policies will likely need to be re-written – the new guidance states they must be written in plain English;
  4. You will need processes and procedures to handle data subject and data deletion requests.

For more information see The European Commission – Fact Sheet (21st December 2015) MEMO/15/6385