A little over four years in the making, on April 14th the EU Parliament finally adopted the General Data Protection Regulation (GDPR). The GDPR will have wide ranging implications for every organisation within the EU that processes personal data and any organisation based outside the EU that provides services to the European Market. Basically, it will impact just about everyone.
The GDPR is in response to justifiable claims that the existing data protection regulations are out of date in today’s connected world. Until the new regulations come into force, most of Europe is still governed by the 1995 Data Protection Directive – a set of regulations laid down during the birth of the world wide web, in a time before Google, social media and the smartphone.
The Regulation is set to come into force in June, from which time organisations will have two years to implement the changes. Unlike the current system, where the 28 member states have implemented their own national laws, the GDPR will be directly applicable to every EU member.
The GDPR lays down an integrated set of rules for data protection; with comprehensive guidelines for enforcement, governance, transparency and citizens’ rights. The enforcement side of things will be of particular interest; as the revised regulations allow for significantly more punitive sanctions for non-compliance.
Organisations found to be in breach of the new regulations could face fines of up to 4% of their annual, global turnover – significantly increasing the business risk associated with non-compliance.
As the risk increases, organisations will increasingly adopt tighter security policies and will turn to encryption to add a layer of additional information assurance. If an organisation suffers a data breach, any punitive action would be mitigated if the data itself was rendered useless to unauthorised users.
For a more detailed overview of the new regulations and their implications, click here.