The existing Directive 95/46/ec went into effect in 1995, at a time when less than 1% of Europeans had access to the internet and online privacy concerns were mostly part of science fiction. Since then, the internet has grown manifold, growing the data by numbers that most people didn’t even know existed (We’re currently counting the zettabytes). The way this data is collected, stored, and used has also changed fundamentally, while the same outdated data protection rules have applied.
What is the GDPR?
The General Data Protection Regulation (GDPR) harmonizes data protection laws in the EU that are fit for purpose in the digital age. By introducing a single law, the EU believes that it will bring better transparency to help support the rights of individuals and grow the digital economy.
The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents. Even organizations outside Europe need to be compliant, or otherwise face significant penalties.
The primary objective of the GDPR is to give citizens back control of their personal data. From an economic standpoint, the GDPR aims to simplify the regulatory environment for international business by unifying the regulation within the EU.
Because the GDPR is a regulation and not a directive, it means that it is directly applicable in all EU member states from May 2018. A directive only directs member states to implement ruling, but does not enforce.
Why does the EU want this law?
The EU states that “the Regulation is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”
One single law is instrumental to the riddance of the confusing situation where 28 separate member states all follow their own laws and regulations. Though the GDPR is very strict, once an organization is compliant it can confidently do business across the EU. The hopeful expectancy is that this will lead to a significant administrative cost-saving.
Non-compliant organizations can face fines up to €20 million, or 4% of annual revenue – whichever is greater. These penalties are massive and can seriously harm organizations of any size. It stresses the importance of undertaking the considerable operational reforms required to be compliant when the day arrives.
To be continued…
European legislation is inherently complicated, as 28 very different countries need to agree on the final document. It makes it all the more remarkable that regulation this strict has been agreed upon. The seriousness of the GDPR shouldn’t be underestimated, which is why we will dedicate more future articles to this very important subject.