The update to data protection regulation is coming. Who, exactly, needs to comply?
There will be huge implications for anyone that does not adequately protect personal data when the EU update to data protection regulation (GDPR) comes into place in just three months’ time.
Under the regulation, customers are given more power over how their data is handled and they can request companies to remove their information from databases. The fines for non-compliance are significant: up to €20 million or 4 percent of turnover if firms suffer a breach.
This puts a strong onus on payments companies to protect their data. But confusion reigns over who is covered by the EU GDPR, with some thinking there are exemptions from the regulation.
Indeed, the Data Protection Directive of 1995 did include some exceptions. But GDPR has a significantly increased territorial reach, which reflects the modern way of doing business. The reality is that, in a globalised data economy that trades frequently across borders, most companies in the world will need to align with GDPR.
The Brexit question
Some firms assume that the UK won’t need to comply with the EU update post-Brexit. This is a false assumption, however, because GDPR has already been passed and the May date is simply the date the regulation comes into force.
Moreover, any company dealing with the data of EU citizens will need to ensure it safeguards this information under the stipulations outlined by GDPR.
This is also true for businesses outside the EU (e.g. in the US) that deal with European citizens’ data. It can be complex. Many firms are unaware that, even if they are not located in the EU, according to GDPR’s Article 3 they may still be caught by the requirements. For example, where processing data relates to offering free or paid goods or services or monitoring the behaviour of EU residents. This is also true if a company lists prices in EU member state currencies.
Overall, there are very few exemptions and most of the difference will be in how the local regulators implement GDPR. In the UK, for example, the Data Protection Bill makes provisions for how GDPR works.
National laws could also see variations in the penalties for non-compliance, with some markets taking a hard stance towards companies that do not safeguard personal data. It could mean very large fines as businesses are made an example of – at least at first.
In the UK, the Information Commissioner’s Office is keen to outline that it will be more understanding towards companies who have at least taken steps to comply with the regulation. The regulator has produced a guide to GDPR, alongside a number of tools it hopes will be useful to UK businesses that might need help with their data protection strategies ahead of the May 2018 deadline.
So, who should comply with GDPR? The answer is, nearly every global company will need to ensure they are aligned with the incoming regulation. It is important, therefore, to urgently take steps to ensure you are protecting sensitive employee and customer data.