The EU General Data Protection Regulation (GDPR) is the new data protection law of the EU and probably a game changer for data retention. It will be applicable on 25 May 2018. The GDPR may very well one of those laws that will rock the entire world. It is already known now as the most lobbied piece of legislation. It is generally considered as the killer of conversion ratios, small and medium enterprises (SMEs) and innovation within the EU.
Data is not protected by ownership or intellectual property rights. That does not mean your company can use data however it pleases. The collection, use and handling (“processing”) of personal data is regulated by data privacy laws, such as the GDPR. Personal data includes all data that relates to an individual. Personal data is in all business processes, all systems and facets of business life. You can imagine how impactful the GDPR is. This new law knows many rules around security, transparency requirements, privacy impact assessments, rights of individuals, international data flows and of course… data retention. You even need to keep a register of all you data processings! And if you fail to comply? You risk a hefty fine of EUR 20 million or 4% of you annual turnover, ouch! Feel safe because you are not located in the EU? Think again. The GDPR has a very broad extraterritorial applicability. Basically, if you have a global website or service, chances are big that the GDPR will apply and you will need to abide by these rules.
We are more optimistic and believe that the GDPR also harvests many wonderful business opportunities. The EU privacy law works very disciplining in ways you would probably not have imagined:
- The GDPR requires you to ask the questions you always should have asked yourself in the first place before starting a new project (why are we doing this project, how, for how long, who is responsible, how do we inform external stakeholders).
- Get in control of your cyber and data security strategy. The GDPR contains serious data security and data breach requirements. Plus your data inventory will teach you where your real risk is in terms of sensitivity of you personal data. This will allow your IT security departments to better assess risk and make better investment decisions.
- Get in control of business processes. The GDPR requires to get a hold on data flows and register them. As personal data flows through your business processes, you will get a much better understanding of the processes that make up your company.
- Get in control of data pooling. When you know where your data is at, your marketing and analytics department will better understand how to make use of the data. They will be able to see opportunities that they never could have imagined were possible.
- Get (a bit) more in control of legal spend. With the GDPR you will most likely not need to ask for
Did you know that the full reference of the GDPR is the “Regulation 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC?” Long name right?
The English version of the EU data privacy law can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=NL
The GDPR in the other European languages can be found here eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32016R0679.
Want to learn more about the GDPR? Please turn to our friends of the IAPP.