Prepare For The New EU Data Protection Rules

Companies have two years to comply with major data reforms or face fines

The General Data Protection Regulation (GDPR) has been agreed at the European Union (EU) Parliament. Businesses now have two years to prepare for compliance with the strict new requirements or face penalties.

Requirements for businesses
Under the GDPR, businesses will have to:

  • appoint a special data protection officer if they are handling significant amount of sensitive data or monitoring the behaviour of many consumers
  • keep track of personal data in auditable way
  • provide breach notification within 72 hours

Businesses that do not comply with the new requirements will face fines of up to 4 per cent of their global revenue for the previous year, or €20 million (depending on which is greater).

The rules will apply to non-EU companies also, if they are trading and offering services to customers in the EU.

Rights of individuals
The new legislation will also give individuals greater control over their personal data. Among other things, individuals will have the right to:

  • be forgotten
  • transfer their data to another service provider
  • be notified when their data has been hacked

The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date, which means that all companies conducting business in the EU need to gear up for compliance by 2018.