New EU rules come into force on 25 May 2018
On 25 May 2018, EU authorities will begin enforcing strict new standards for handling the personal data of EU data subjects. Outlined in the General Data Protection Regulation (GDPR), these standards will apply to any organisation that handles personal data of individuals in the EU — even when no transaction takes place and regardless of whether a business is physically located in Europe.
For organisations holding personal data on EU residents, GDPR will impose tighter rules governing data privacy and information security. It’s important to note that GDPR rules apply to both controllers and processors, and range from initially obtaining personal data through internal storage and transfer and ultimately to any external transfer and deletion. GDPR enforcement will extend into all aspects of organisations, including cloud computing, social media, and the internet of things.
New rules are planned on breach notification, consent requests, data subject rights, privacy by design, data protection impact assessments, and the role of data protection officers. Companies that are found in breach of the new rules could face fines of up to 4 percent of global net revenue.
GDPR has the potential to become a de facto global standard for data governance and privacy. For firms that trade across borders, adhering to GDPR EU standards for data protection is an inevitability, with or without Brexit.