Coming into effect on May 25th, 2018, the General Data Protection Regulation (GDPR) is replacing the European Union’s previous data directive governing consumer data collection, storage and usage, aiming to give consumers more protection and control over their personal data. All companies doing business with European consumers will have to adhere to new data privacy practices in Europe.
A common misconception about this game changing regulation is that it only affects the 28 European Union states. The reach of the regulation extends all the way to countries outside the EU who want to do business with European consumers.
Potentially Lethal Fines
The new GDPR is a much more capable beast than its predecessor when it comes to generating crippling fines for businesses that fail to comply with the new law. Poor data protection practices, data breaches due to their own negligence can bring about catastrophic fines of up to €20 million or 4% of global revenues.
Not The Only Ones
Europe isn’t the only region of the world toughening up their data protection laws. Avid revampers include Canada and Australia with other countries following in their footsteps. More than ⅔ of US companies believe the new laws will force them to rethink their strategies in Europe. They also feel European companies will have a home team advantage and therefore be better equipped to address the regulations, which will yield a competitive advantage.
The Bill Of Rights
All this and more has been reported by getelastic.com, where it was also stated that the GDPR can be thought of as a kind of consumer bill of rights governing data usage. The following are some of these rights:
- Consumers must be able to access their personal data, know what is being collected and used by companies, and why.
- Consumers “own” their information. Data accumulated on a consumer cannot be sold to third parties without permission.
- Companies must protect an individual’s IP address or cookie data with the same rigor as a name, address, and Social Security number.
- Consumers have the right to request that their data be transferred to another business.
- They may demand that any personal data be erased at any time from companies and third-parties.
- Companies must create new systems that put privacy first – not as an afterthought. Companies will be allowed to collect, store, and process information only if it is verifiably necessary.
- Mandatory data breach notifications must be sent to individuals within 72 hours, including any event that risks the rights and freedoms of individuals.
Privacy Policies Reworked
With inescapable global implications, most companies around the world are reworking their privacy policies and implementing consent practices. A PwC survey concluded that 77% of US companies plan to set aside $1 million or more on readiness and compliance efforts. 68% of these said they will invest between $1 million and $10 million and 9% expect to spend of $10 million on GDPR compliance.
The ridiculously high fines are a real possibility, so investments like these to comply look almost economical. The fines are, however, not the only thing to worry about. Loss of consumer trust and loyalty can be even more devastating. More and more consumers will not be very likely to do business with a company that has lacklustre data protection policies.
The end of May will be here before we know it, bringing this regulation hurtling into reality. More information on it can be found by visiting EUGDPR.org.