The General Data Protection Regulation ("GDPR") comes into force on 25 May 2018, and many businesses are beginning to prepare for its introduction. The GDPR builds on familiar concepts and rules but in many ways it goes further. It has a wider scope, standards have been raised, and sanctions are much higher. The GDPR expands the territorial scope of EU data protection law as it applies to both organisations established in the EU and to non-EU established organisations that target or monitor EU residents. This means a greater number of organisations will now be subject to these new regulations.
With a greater level of harmonisation of laws across the EU, it should be easier for businesses that sell goods or services across the EU to take a unified approach in multiple EU states. However, the compliance burden is generally greater than currently in place, so many organisations will have to review and enhance their existing practices. In particular, the introduction of the accountability principle means that affected organisations will have to work on their internal compliance, including record keeping, and, for some, the appointment of a data protection officer. Such changes are important due to the introduction of significant penalties and fines for non-compliance. These sanctions can be up to the greater of 4% of annual revenue or 20 million.
While the actions needed to prepare for the implementation of the GDPR will be specific to your organisation and the sector in which it operates, your organisation should start by:
Evaluating your organisation's...