Will the European Union's new General Data Protection Regulation impact your business  

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Does your company do business internationally, and especially with customers within the European Union (EU) If so, then you need to pay attention to what's happening in the areas of data privacy and data sovereignty. Big changes are underway and they could have an impact on how you manage customer information.

At the end of December, the European Commission (EC) approved the final version of the General Data Protection Regulation (GDPR). It's a massive overhaul of the EU's 1995 data protection rules (Directive 95/46/EC), which were quite out of date given the technology developments and globalization of the last two decades. The EC has been working on the GDPR since 2012 in order to strengthen online privacy rights and boost Europe's digital economy.

There are some terms in the GDPR that will have a significant impact on many businesses outside the EU. While the GDPR is a European regulation, the terms apply extraterritorially to any entity (called a data processor or a data controller) that offers goods or services to residents (called data subjects) of the EU.

Thankfully the regulation stipulates that having a commerce-oriented website that is accessible to EU residents does not constitute offering goods or services. A merchant must show intent to draw EU residents as customers; for example, by using a local language or payment denomination. However, there are many other ways that a business can get caught up in the regulations.   

Here are a few of the more relevant aspects of the GDPR for commercial businesses:

I could go on and on. These points just begin to touch on the specifications of how personal data can be handled under the new regulation. You can see, however, that the specifications can potentially have a big impact on how companies do business today.

The GDPR allows two years for businesses to assess the new regulations and to put the proper measures in place to assure compliance. The regulation allows for significant penalties for non-compliance, including administrative fines at up to 2% of annual worldwide sales or 1 million euros.

In the 2015 Ovum research report Data Privacy Laws: Cutting the Red Tape, two-thirds of the respondents say they expect the legislation to force changes in their European business strategy. Some companies might abandon the EU market altogether rather than spend the money and effort to comply with the new regulation. More than half the survey respondents expect that their companies will be assessed fines for violations of the law.

If you even think this regulation could have an impact on your business, there is no time to waste in assessing the situation and formulating your go-forward plans.


Linda Musthaler

Zur Startseite