There is a new wave of regulation coming in the form of the European Union Data Protection Regulation (EU GDPR). These provisions and regulations have been in development over the last four years, and starting May 25th, 2018; it will begin to be enforced. After that date, substantial fines will be imposed on those who don’t comply with new regulations. Before we dive into what this will mean for organizations, let’s look at what the new GDPR entails.

The EU GDPR was designed to replace the Data Protection Directive 95/46/EC, which was developed to create a general set of rules and regulations surrounding data privacy across the EU with the aim of protecting the data privacy of EU citizens. The most extensive change brought on by the EU GDRP is the “Increased Territorial Scope.” This addition means that no matter where an organization is located, or where their data is processed, the personal data they have collected from EU citizens must comply with the new GDPR. So, if an American company has collected data on EU citizens, it now must be handled in a manner that complies with the GDRP. Some other regulations and rules include:

    • Breach Notification: it will be mandatory to disclose data breaches that may “result in a risk for the rights and freedoms of individuals” living in the EU.


    • Right to Access: data subjects will have the right to obtain data as to whether their personal data is being processed, where and for what purpose.


    • Right to be Forgotten: this entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.


    • Privacy by Design: this calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition.


    • Data Portability: this introduces the right for a data subject to receive the personal data concerning them, which they have previously provided.


  • Data Minimization: this calls for controllers to hold and process only the data necessary for the completion of its duties.

Now, these changes to regulation may mean even more changes to your organization and their data collection methods. Where data minimization is concerned, agencies may have a lot of internal changes to make to become compliant. We are clearly in the age of big data, where companies have gotten used to the idea of capturing as much user data as possible. This method of data collection is fundamentally changed with the introduction of the GDPR, and it may result in fundamental changes to the way companies capture data. But once agencies make the necessary the changes needed to meet GDPR compliance, they will have a smaller amount of data to manage, keep secure, and worry about in general.

These changes are in the best interest of EU citizens, but will inevitably mean that drastic changes will be required for a large number of companies. Has your organization reviewed, planned for and begun to implement any of these changes? Time is running out…