Europe’s General Data Protection Regulation: an EU story

30. April 2018

by Chrysi Chrysochou and Benjamin Wilhelm

25 May 2018: many have marked this date on their calendars. While some are simply waiting for the release of the highly anticipated new Star Wars movie, numerous IT and legal departments are instead preparing for the EU’s General Data Protection Regulation (GDPR) to come into force. EU citizens are about to enter a new era, yet few are aware of it.

The force awakens

Personal data is any information that is related to the identity of an individual: this can be a photo, an email address, a credit card or even a tattoo. The use of emails to communicate, computer logs, CCTV surveillance footage, employee profiling or evaluations, GPS tracking and many other activities constitute the processing of personal data.

The EU began protecting personal data when the World Wide Web was still in its infancy. In 1995, it approved the Data Protection Directive (DPD), which regulated the processing of personal data and its movement within the Union. Since then, tech giants such as Google and Facebook, and e-government have emerged as powerful forces in society, mining an unprecedented amount of information. Data has become the new oil.

In 2015, the EU institutions voted on revising the outdated Data Protection Directive. The DPD has been in place for more than 20 years, and was meant to protect the personal data of Europeans from misuse. Regardless of the DPD’s good intentions, a lot has changed since 1995 in the world of data protection, as well as in technology. The EU consequently has to move on to a new regime in order to fill the gap. Finally here it is: the GDPR is the new regulation that will replace the old DPD by introducing for the first time a uniform and binding data protection law in all Member States. Under the new regulation, adult EU citizens will have the following rights:

  • The right to be informed: individuals can ask a company or organisation whether they own any of their personal data and why.
  • The right to access: individuals can request a copy of their collected personal data unless it implies a disproportionate effort for the business to provide it.
  • The right to be forgotten: European citizens are allowed to request businesses to erase their data under certain circumstances.
  • The right to restrict processing: citizens can demand a company or organisation to not use or share their data.
  • The right to rectify: organisations are obliged to correct inaccurate information upon the request of the individual the personal data pertains to.
  • The right to data portability: data can be transferred from one company or organisation to another.
  • The right to object: individuals now have the right to object to having their data automatically processed or used for profiling purposes.

The empire strikes back

According to the 2015 Eurobarometer survey, two out of three Europeans were concerned about not having complete control over the information they share online. Almost half stated that they would like to see the enforcement of rules on personal data protection handled at European level. One year later, the EU institutions adopted the GDPR with an overwhelming majority in the European Parliament: only 10 out of the 751 MEPs voted against it. The new regulation is far-reaching. It applies to organisations both in and outside of Europe processing personal data of Europeans.

The Regulation imposes stiff fines on data controllers and processors for non-compliance. Breaching the GDPR can cost up to €20 million or up to 4% of the annual global turnover, whichever is larger. The total amount of the imposed fine will be determined on the basis of 10 criteria, such as the nature of the infringement and the level of non-compliance.

A phantom menace

Businesses are not yet ready, but neither are they doomed. Surveys revealed that the majority of organisations doubt that they can meet GDPR requirements despite a two-year transition period.

Complying with the GDPR represents a double-edged sword for organisations. Establishing a minimum protection standard now means not just having an antivirus programme or a firewall but also involves regular back-ups and robust intrusion detection systems. These upgrades require a significant amount of money and time. However, once implemented, organisations might be able to promote it as a competitive advantage. Marketeers should also remember that empowering customers to manage their data reduces spam as well as churn, which may ultimately boost the return of investment.

Five actions can help businesses in their efforts to be compliant with the new legislation:

  1. Map and categorise data
  2. Depict the compliance gap and schedule Data Protection impact assessments
  3. Update the organisation’s data protection policy and get consent (wherever necessary)
  4. Establish and strengthen procedures for data security and for data breaches
  5. Provide a contact point for the Data Protection Authority and training for the employees

A new hope

For businesses, the GDPR creates a lot of uncertainty, which poses a huge challenge. For users, it represents a new hope.

The enforcement of the new regulation also shows that, in spite of the Union’s flaws and Eurosceptics’ propaganda, EU policymakers do pay attention  to their citizens’ needs and are able to react to technological advancement. Through the GDPR, 510 million Europeans will be empowered to take control of their personal data and the privacy of foreigner users as well could be strengthened by the new Regulation. May the force be with them!