EU General Data Protection Regulation – How will the new customer protection laws affect companies?
On the 14th of April the new and strongly anticipated General Data Protection Regulation (GDPR) has been passed. 20 days later, it will become effective officially. European companies will have two years to change their data protection arrangements according to the regulation. The regulation does not only affect European companies, but also international businesses who deal with data of European citizens.
This new regulation replaces the data protection regulation (Directive 95/46/EC) from 1995. Generally speaking, there is nothing against an EU-wide regulation of data protection to harmonize current laws. But it is important for companies to start making arrangements soon:
“With […] a lead time of only two years before the Regulation takes effect directly in all member states, organisations will need to start preparing now for what will be the biggest change to data protection laws in over 20 years,” says Kuan Hon, a British data protection law expert.
While the new regulation will strengthen data privacy in many countries, there is criticism in others. German data protection experts fear higher costs and more bureaucracy for companies with less than 250 employees, exactly the opposite of what the EU wants to achieve. Only companies with more than 250 employees have to appoint an internal data protection officer, and have to document data protection internally. The data protection agencies should no longer advise, but only supervise. This is a shift that can become problematic in Germany, a country that already has strict and well organized data protection, since the cooperation between companies and authorities will be complicated. Small companies may have to create a position only for communication with the authorities.
In this article we will inform you about the biggest changes that the EU GDPR brings for smaller companies. We will keep you up to date with further information, so that the adjustments to the new rules will be smooth for your company.
The first difference lies in the way the Regulation is introduced. The directive from 1995 had to be implemented into national law by the member states. The new Regulation, however, is in force for all member states right from the beginning. This means it cannot be weakened by single states.
Objectives of the EU GDPR – How the new protection of customer data affects companies
The GDPR strengthens the rights of individuals in a way that they have the right to know what happens to their data at any time. If you are a company dealing with personal data, you will face more work and effort.
The most important objectives at one glance:
- Standardization of rules for the handling of personal data: This affects private companies as well as public authorities.
- Ensuring the protection of personal data EU-wide
- Tougher penalties for breaching the data privacy laws (fines go up to 4% of the global turnover of a company)
- Introducing the right to be forgotten: It will be easier for users to have their data erased on request.
- A right for data portability: Users can switch from one provider to the other and now have the right, to take their data with them (for example at social media services).
- The GDPR applies to companies outside of the EU, as well, as soon as they offer a service for EU citizens (for example Facebook and Google, or different cloud providers).
Next steps
Now that the GDPR has been passed, companies have to start to adopt the new Regulations. We will keep you up to date with advice and news regarding the Regulation, and will accompany you through the 2-year period of adapting to the CDPR.
Get further information here.