GDPR and data regulation in the EU and beyond
The GDPR focuses on the individual rights of EU Citizens concerning their personal identifiable information (“PII”) and establishes data protection principles (“Principles”) over how this PII is managed by whoever holds and uses it.
The principles are effectively an EU wide mandate to restrict how businesses and organisations gather and use information on individuals, as well as increasing the pressure to improve safe-guards when it comes to data handling and protection.
In today’s connected world, wherever data is held, there is always a risk of processing errors or loss of data. This risk occurs whatever the form, or content, of the data.
The GDPR widens the definition of PII, significantly increases the rights of individuals and places greater strategic responsibility on those who decide how and why the data is to be used (aka Data Controllers), and greater operational responsibility on those who process the data (aka Data Processors).
It is not just in the EU where this new regulation is having an impact. Businesses outside of the bloc, like those headquartered in the US, that do business in the EU and hold information on its citizens are also required to comply with GDPR.
This upcoming change is being taken very seriously by large-multinational corporations, particularly in the US, with research by PwC revealing that more than half of US based multinational businesses view GDPR compliance as their top priority.
The same research also found that more than three quarters (77%) are planning to spend at least $1m ensuring they meet the requirement of GDPR.
Despite the Brexit vote, GDPR will play a significant part in future data protection in the UK with a newly unveiled Data Protection Bill ensuring GDPR is implemented essentially in its entirety into UK law.
Even if this was not the case, UK companies that do business with EU citizens, would still be significantly impacted by GDPR, just like Companies all over the world who trade in the EU, and hold information on its citizens.
The rest of the world is taking considerable note of the penalties of failing to comply with GDPR, which could be as high as 4% of annual global turnover or up to €20m, whichever is higher. Jurisdiction issues may at first appear to provide a haven but the presence of assets, like subsidiaries, within the EU make the threat of these penalties real.
To put the new penalty regime into context, a US headquartered company like Apple with worldwide revenues of $216bn could, in certain circumstances, face a fine up to $8.6bn.
Ethical use of data
Businesses all over the world which sit on a goldmine of personal data, which can be exploited to their commercial advantage, using ever improving data analytics technology, now need to consider the ethical use of data.
GDPR has brought this into focus, particularly where this involves EU citizens. With more businesses operating across borders, this new law will likely increase standards of data protection across the world. It may become a benchmark for individual nations to further develop their own data protection laws and regulations. In the meantime GDPR will be one of the biggest challenges to businesses operating globally for decades.
Individuals rights like the right to be forgotten, the right to be informed, the right of access, the right to restrict processing, amongst others, have been enhanced under GDPR, so it is worth re-visiting your procedures to make sure you’re protected.
Even if your business is not headquartered in the EU, if you wish to trade and hold information on EU citizens, your approach to GDPR must soon become part of your IT strategy.
Ian Smith, Financial Director & General Manager of Invu