In 1995, the EU introduced its Data Protection Directive to protect consumers. But 20 years later, with rapid changes in technology, the Data Protection Directive now seems outdated. Consumers are more worried than ever about what companies do with their consumer data, especially after security breaches occur. They want to have control over how their personal data is used.

In comes EU’s ambitious and strict General Data Protection Regulation (GDPR), which will take effect May 25, 2018. Four years in the making, it was finally approved by EU Parliament in April 2016. With this new Regulation, companies will be required to report breaches to their regulators and often to consumers. Additionally, GDPR allows a consumer to find out how their personal data is being used by a business.

“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established,” according to the EUGDPR.org website.

Businesses will face heavy fines for non-compliance. GDPR’s obligations will affect any company that handles EU citizens’ data, whether the company is located in the EU or not, and ultimately will have global ramifications.

Here are some key changes in the Regulation, as stated on the EUGDPR.org website.:

  • Increased Territorial Scope (extra-territorial applicability)
    • “GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.”
  • Penalties
    • “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”  Note: €20 Million currently is the equivalent of about $24,000,000.
  • Consent
    • “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​”

Under GDRP, individuals whose data has been collected by a business have the following rights:

  • Breach Notification
  • Right to Access
  • Right to be Forgotten
  • Data Portability
  • Privacy by Design

If your company collects or processes EU citizens’ data, you will need to be GDPR-compliant.  But bad things can still happen, and you need the correct coverage in the event of a breach or other cyber event.  For more information about GDPR and how it will impact your business’ cyber risk exposure, contact us today.