Data protection has entered a period of unprecedented change.
This has been driven by:
- An increasing number of high-profile data breaches reported in the media that have led consumers and regulators to be concerned about how personal data is managed
- The demise of Safe Harbor (see our latest Safe Harbor blog entry below)
- The new EU General Data Protection Regulation (GDPR) – a landmark development in data protection
In April 2016, after four years of tough negotiation, the European Union adopted the GDPR. The Regulation is a game changer for organizations. The GDPR introduces more stringent and prescriptive data protection compliance challenges, backed by fines of up to 4% of global annual revenue. The Regulation will replace Directive 95/46/EC, which has been the basis of European data protection law since it was introduced in 1995. The GDPR will be directly applicable from 25 May 2018 in all EU Member States.
The Regulation will have a significant impact on businesses in all industry sectors, bringing with it both positive and negative changes for business in terms of cost and effort. Organizations are likely to welcome the harmonization of laws across the 28 Member States, which will make the complex data protection landscape easier to navigate for multinational organizations.
The introduction of new rights for individuals, such as the Right to be Forgotten and the Right to Portability, as well as mandatory breach notification, are likely to increase the regulatory burden for organizations. Businesses need to review their current data protection compliance programs to determine next steps and decide on the level of investment they need to make over the next two years to address the changes.
Organizations need to act now to ensure that they are ready to comply with the new Regulation when it comes into force in May 2018.
Read our full alert here.
EY Legal Services Contacts:
Fabrice Naftalski – Global Data Privacy Leader
Dr. Peter Katko – Global Digital Law Leader