As the GDPR deadline looms, regulators warn businesses to implement changes

With law firms issuing guidance on implementation of the new EU privacy laws, companies are being urged to plan ahead or risk being heavily fined

  • By Erica de la Harpe | Wednesday, December 14th, 2016

Companies with data on EU citizens, no matter where they are based, must comply with the new regulations

The UK Information Commissioner’s Office and privacy law specialists have warned CEOs not to ignore the looming deadline for implementation of the European General Data Protection Regulation (GDPR). Companies have only 15 months left to prepare before the GDPR becomes applicable on May 25, 2018. As Eduardo Ustaran, European head of privacy and cybersecurity at law firm Hogan Lovells, told Bloomberg, “because the GDPR is completely new, very few people know how to interpret it, let alone comply with it”.

The new rules, which entered into force on May 24, 2016, have set a high bar for personal data protection across the globe. Hogan Lovells and advisory service KPMG, among others, have issued advice and guidance to companies on investing in readiness plans. Should companies choose not to heed this preparatory advice before the application deadline in 2018, companies risk new non-compliance fines of up to four percent of their global turnover or €20m, whichever is greater.

The GDPR’s predecessor, the Data Protection Directive, was created in the pre-Facebook era to regulate personal data within the EU. The internet boom has meant an increase of data flowing across borders and a lack of harmonisation between member states in regulation. These new regulations have been designed to address this fragmentation and simplify the regulatory environment for business.

New rules include reporting of data breaches within 72 hours, and the extension of the right to be forgotten beyond simple web searches. This means citizens should be able to ask social networking sites to delete their profiles entirely.

The internet boom has meant an increase of data flowing across borders and a lack of harmonisation between member states in regulation

Some companies will also require the designation of a data protection officer, and legal departments will have to reconsider contractual agreements with third parties that involve processing of personal data. Online advertisers will also face stricter rules on how they use browser history data to target web users.

The new financial penalties will be applicable for a variety of violations concerning consent, privacy rights and orders from privacy regulators. Importantly, they will be applicable to all companies, located in the EU or not, provided they possess data on European citizens.

Though the EU has advocated that “a single law will also do away with costly administrative burdens, leading to savings for businesses of around €2.3bn a year”, the increased obligations on companies to track data flows and comply with the new rules will not come cheaply. With the deadline looming, companies will have to face the decision to either fork out the cash and get in shape, or risk the wrath of the regulators.