Caution: New data regulations straight ahead

Six months from now, the European Union launches a new regulatory scheme for data protection that will affect every business – worldwide – that markets to EU consumers. The impact on both consumers and businesses is likely to be substantial.

If your business targets consumers in any of the 28 countries that make up the European Union, there’s a regulatory crossroads in your very near future.

In May 2018, the EU is implementing the General Data Protection Regulation (GDPR), a sweeping (260+ pages) replacement for a patchwork of national legal frameworks for the protection of personal data. More than four years in the making, the GDPR is intended to strengthen and unify data protection for individuals within the EU.

To do so, the GDPR imposes new obligations on businesses – anywhere in the world – that collect personal information from individuals residing in the EU, or that use or process such personal information. In parallel, the GDPR gives European consumers new rights and control over their personal data, including the so-called “right to be forgotten.”

There are four key attributes of the new regulation that demand the attention of any business that falls under its jurisdiction: the scope of the data it covers, its geographic impact, the new requirements that businesses must meet in order to comply, and the penalties for noncompliance.


Scope of data

“Exhaustive” might best describe the types of information that are required to be protected under the GDPR. In addition to the usual topics – such as names, dates of birth, and government ID (comparable to U.S. Social Security numbers) – the GDPR’s definition of personal data also includes home addresses, IP and email addresses, computing devices’ identifiers, online financial information, medical records, and a wide assortment of user-generated data, including social media posts and personal images uploaded to any website.

In a nutshell, virtually all personal data pertaining to European citizens or residents is considered theirs to share, or not; and businesses – referred to as “data controllers” or “data processors” – are obliged to protect it.


Geographic impact

The geographic reach of the GDPR also deserves attention. Any company outside the European Union that is targeting consumers within the EU will be subject to the GDPR. Its protections extend far beyond those citizens of the 28 EU nations who reside within the EU.

Also protected are EU citizens who happen to reside anywhere else in the world, as well as the non-citizen residents of any EU nation, regardless of nationality. As European consumers increasingly communicate with businesses on other continents that collect, use, or process their personal data, the impact will be genuinely global.


New mandates for business

Highlights of the many new requirements that the GDPR makes of businesses are:

  • Consent – Consent must be given before any personal information can be processed.
  • Data Protection Officer – Companies with more than 250 employees must appoint a Data Protection Officer.
  • Privacy Impact Assessments – For “risky” processing of personal data, data controllers must conduct Privacy Impact Assessments.
  • Documentation – Data controllers and processors must document all of their processing, and make documentation available on request.
  • Data Breach Notification – Within 72 hours of learning of a breach that affects personal data, companies must notify the relevant EU authority. In addition, consumers affected by a data breach must be notified by the data controller.


Penalties for noncompliance

The penalties that the GDPR specifies for companies that are not in compliance are stiff. They escalate from a formal written warning, to regular periodic data-integrity audits (which involve giving an auditor access to sensitive or proprietary information), to fines of up to 20 million Euros or 4 percent of a company’s worldwide revenue, whichever is greater.

The GDPR has been described by one of its legislative sponsors as “a fierce European ‘yes’ to strong consumer rights,” and it will clearly have an impact on all businesses that target those consumers. How should businesses prepare? A sound strategy will include taking an organization-wide view of data protection – one that includes the business needs and opportunities posed by personal data, as well security and technology concerns.

More tactically, there are technology solutions that can help any organization meet the GDPR requirements for secure capture, processing, management, and storage of personal data. We’ll have more to say about these in the next installment of this blog series.

Better security starts with document management

See how Nuance provides complete control of documents and information so you can feel secure in every step of every process.

Learn more

Tags: , ,

Jeff Segarra

About Jeff Segarra

Jeff Segarra is the Senior Director of Product Marketing for the Nuance Document Imaging Division. He is responsible for the global team that delivers industry product positioning, messaging and content to help our customers around the world identify how Nuance solutions can meet their needs. He enjoys speaking and writing about business process improvement, The Internet of Things, document security, document conversion technologies and personal productivity. He has an MBA from Iona College, Hagan School of Business and has been working with software technology for 20 years. Jeff is an original New Yorker and, therefore, a staunch Yankees fan – in the heart of Red Sox nation.