GDPR: Regulation with Wide Reach and Deep Consequences

By Cara Murray, Assistant Vice President, Alliant

Multinational companies are currently, or should be, preparing for the European Union’s General Data Protection Regulation (GDPR) to go into enforcement on May 25th 2018. The GDPR is replacing the EU’s prior information protection regulation, the Data Protection Directive, continuing the European Union’s strict requirements for organizations that collect and use information of EU citizens. On the whole, the regulatory regime in the EU is designed for the benefit of information subjects – the people whose information is being collected and used and stored.

The updates included in the GDPR are based off both the continued evolution of data-collecting technology and data usage, as well as the evolving regulatory regime relating to data around the world.

One of the major provisions of the GDPR is its applicability to any organization maintaining or processing data of individuals residing in the EU regardless of the location of the company itself. As data can move easily across borders, it is quite common for information to be processed outside of the region where it was collected and where its subject resides; this regulation now asserts that jurisdiction follows the data wherever it goes when it pertains to EU citizens.

From an information risk perspective, the following two provisions may be the most significant.

While it is widening the EU its jurisdiction through the GDPR, it is also narrowing its notification windows; the regulation requires organizations to notify regulators of a breach within 72 hours of first awareness of the breach event. Once the enforcement period starts, companies will need to have a clear plan in place regarding how to provide notification when they discover a data breach event, because they will not have time to learn through experience.

And the biggest headline-making aspect of the GDPR: companies can be fined up to 4% of annual global turnover or €20M (whichever is greater) for serious data-related infringements. The penalties are set up on a tiered basis, so more basic violations such as notification failures or record-keeping errors could be subject to fines of 2% of annual global turnover. That said, these are serious penalties, designed to push companies to actively obtain and maintain compliance, and with the teeth to seriously punish those who fall out of compliance.

At this very high level of review, it is clear the GDPR has significant potential impact for organizations around the world that in one way or another maintain information about EU citizens. With enforcement still on the horizon, it remains to be seen if that potential impact holds up in practice.