Every company that collects personal data on EU citizens, no matter where the company is located, will need to make organisational and technical reviews and appropriate adjustments and changes to avoid financial penalties and censure.

Any organisation currently holding personal data on EU residents must stop doing business with EU residents or comply with all GDPR requirements.

Two main reasons the GDPR is important

  • The GDPR mandates protections on the personal data, including monitoring behaviour that takes place in the EU, of EU citizens and residents no matter where the company or organisation is based;
  • Non-compliance will result in significant financial penalties: up to a €20 million fine or 4 percent of the global annual turnover of the preceding financial year.

History of personal data protection in the EU

In 1995, the EU released a directive on the protection of personal data for all members of the EU. It upheld the right of EU residents to have their personal data protected by organisations based in the Union. The EU Member States were allowed to interpret the directive for themselves, which led to inconsistency in policy and practice. Many negative consequences pertaining to organisations doing business in multiple states were reported.

In May of 2016, the 1995 Directive was replaced by the GDPR after four years of fact-finding, discussions, and negotiations. Except where noted in GDPR, member states cannot add, subtract, or apply different interpretations to the new Regulation. The 1995 Directive is repealed at the same time the GDPR goes into effect. The GDPR updates data protection taking into account the technological advances made since 1995. The Regulation has a specific directive for collecting and processing personal data in criminal cases.

Defining personal data

According to Article 4 of the GDPR, personal data is “any information relating to an identified or identifiable natural person … who can be identified, directly or indirectly … by reference to an identifier.”

Identifiers include name, identification numbers, and addresses as well as physical and mental details, cultural factors, and other information pertaining to a person. Previously obtained personal data that has been fully anonymised and cannot be re-identified to a specific person is excluded from the GDRP.”

Introducing the GDPR

The GDPR is one element of the European Commission’s Digital Single Market priority. It moves 28 national markets to a single market designed for the digital age. The new regulation modernises and harmonises the legal framework for data protection across the EU and removes individual states’ interpretations that were rampant under the 1995 Directive. With one law on data protection, organisations will no longer be required to use different data protections for different markets. This will save businesses approximately €2.3 billion each year.

The Regulation creates a level playing field for all organisations that collect and/or use personal data in any way. The law shifts responsibility from all markets based in an EU market to any entity collecting data on any EU citizen or resident. Expats and foreign workers will have the same protection as citizens.

Compliance is required beginning May 25, 2018

The regulation was published in May 2016 with an implementation date of May 25, 2018, giving companies and organisations two years to make the necessary changes and additions to policies and systems to comply with the law. Exemptions will not be made for companies and organisations that do not have a physical presence in the European Union. At this time, transition plans should be nearing completion.

Fines for non-compliance are significant

The penalties for non-compliance range from administrative interventions to a two-tiered penalty: a €10 million fine or 2 percent of global revenue or a €20 million fine or 4 percent of global revenue. In both cases, the highest amount will be assessed. Fines will be calculated based on the “nature, gravity, and duration of the infringement; the presence of negligence, organisational and technological mitigations in place; the categories of personal data affected; and whether the organisation itself notified the supervisory authority of the infringement.”

Any organisation currently holding personal data on EU residents must stop doing business with EU residents or comply with all GDPR requirements. A company doing the minimum required to comply risks not meeting the full intent of the regulation and being fined. To stay in business after being fined for noncompliance, a business will need to implement all the policies and technologies specified by the GDPR.