Will the European Union's new General Data Protection Regulation impact your business?

The European Commission has approved the most stringent data privacy regulation anywhere. Here's what you need to know about how it might touch you

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Does your company do business internationally, and especially with customers within the European Union (EU)? If so, then you need to pay attention to what's happening in the areas of data privacy and data sovereignty. Big changes are underway and they could have an impact on how you manage customer information.

At the end of December, the European Commission (EC) approved the final version of the General Data Protection Regulation (GDPR). It's a massive overhaul of the EU's 1995 data protection rules (Directive 95/46/EC), which were quite out of date given the technology developments and globalization of the last two decades. The EC has been working on the GDPR since 2012 in order to strengthen online privacy rights and boost Europe's digital economy.

There are some terms in the GDPR that will have a significant impact on many businesses outside the EU. While the GDPR is a European regulation, the terms apply extraterritorially to any entity (called a data processor or a data controller) that offers goods or services to residents (called data subjects) of the EU.

Thankfully the regulation stipulates that having a commerce-oriented website that is accessible to EU residents does not constitute offering goods or services. A merchant must show intent to draw EU residents as customers; for example, by using a local language or payment denomination. However, there are many other ways that a business can get caught up in the regulations.   

Here are a few of the more relevant aspects of the GDPR for commercial businesses:

  • An individual must be informed in unambiguous terms that his information is going to be collected and/or processed, and for what specific purpose. If the information is going to be used for multiple purposes – say for marketing or data analytics purposes in addition to processing an order – the individual must be informed of each and every purpose. Consent cannot be implied and must be explicitly given. The request for consent must be clear and concise and cannot be presented in an unusual context.
  • Data controllers are limited in the length of time in which they can keep an individual's data. The data must be erased or reviewed at the end of this time period.
  • The identity of the data controller or processor must be transparent and clear. Individuals should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise his or her rights in relation to the processing.
  • Data controllers must provide a means for data subjects to request access to their data, rectification, erasure and the right to withdraw consent for the data's use. Furthermore, data subjects should have the right to have their data erased and no longer processed by withdrawing their consent for processing.
  • The data subject should be informed about the existence of profiling, and the consequences of such profiling.
  • When a data controller (e.g., a business) uses a data processor (e.g., a cloud service provider) to process data on the controller's behalf, the processor must meet all the requirements of the Regulation for the security of processing. This includes implementing technical and organizational measures necessary to meet the requirements. The controller or processor should maintain records regarding all categories of processing activities under its responsibility.
  • Data controllers are required to notify data subjects within 72 hours of a data breach involving data that is not encrypted.
  • Any data that is transferred outside the EU for processing (such as putting data into a cloud application) is subject to all the regulations of the GDPR.

I could go on and on. These points just begin to touch on the specifications of how personal data can be handled under the new regulation. You can see, however, that the specifications can potentially have a big impact on how companies do business today.

The GDPR allows two years for businesses to assess the new regulations and to put the proper measures in place to assure compliance. The regulation allows for significant penalties for non-compliance, including administrative fines at up to 2% of annual worldwide sales or 1 million euros.

In the 2015 Ovum research report Data Privacy Laws: Cutting the Red Tape, two-thirds of the respondents say they expect the legislation to force changes in their European business strategy. Some companies might abandon the EU market altogether rather than spend the money and effort to comply with the new regulation. More than half the survey respondents expect that their companies will be assessed fines for violations of the law.

If you even think this regulation could have an impact on your business, there is no time to waste in assessing the situation and formulating your go-forward plans.

Join the CSO newsletter!

Error: Please check your email address.

More about ClickEUEuropean CommissionOvum

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Linda Musthaler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts