Come 25th May 2018, companies that have customers in EU and/or part of value chain that caters to EU customers will need to be on their toes, those who haven't been preparing for the past couple of years will now face challenges.
The regulation is the most sweeping piece of legislation when it comes to data privacy of the last 20 years. It affects any company or organization that processes the data of any EU citizen - and it applies whether or not that company is based in the EU itself. Under the GDPR, companies will be now be accountable on how well they check the compliance boxes, and safeguard GDPR and DPD (Date Protection Directives) regulatory obligations. GDPR requires that consumers be given transparency, choice and control over their data.
GDPR has significantly broadened the scope of PII. According to the ICO, it now covers "any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier." In practice, this means names, dates of birth, email and home addresses, telephone numbers, online identifiers, genetic and biometric data, mobile device IDs, IP addresses and much, much more. It also applies not just to customers and prospects but also your employees and individuals in other businesses you might be interacting with or selling to. All of this makes data minimization an essential practice to reduce your compliance burden and exposure to data breach-related risk..
Part of the reason to take such a notice of GDPR is the quantum of fines involved for noncompliance for the most serious breaches, regulators will be able to issue penalties equivalent of up to 4% of annual global turnover or 20 million euros - whichever is greater and even the less serious breaches it can still attract a 10 million euros fine or 2% of global turnover with all the proceeds of the fine being handed over to the Treasury thus for large companies, these fines could run into hundreds of millions of euros. The regulation now will make many companies "take a good, hard look at what they're doing around people, process and technology, much more so than ever before." GDPR has the opportunity to make many organizations more efficient, with increased security and better scale and yet granular control.
GDPR is also part of the reason why Facebook is asking users to review their privacy settings, covering things like whether advertisers can target them based on religious and political views or their sexual orientation. Even though Facebook is a U.S. company, the rules affect how it operates in other countries, because its users are connected globally.
There may be some short-term pain due to GDPR but it will help create awareness, trust and better customer experiences, thus will certainly lead to more long-term loyalty and over time better shareholder value.
No one knows exactly what will happen after May 25. A grace period could take place, as regulators figure out how they want to enforce GDPR, understanding that compliance is a long, arduous process. But the EU may look to immediately make an example of businesses that ignore new mandates or fail to prioritize them accordingly. Read More