The EU’s new General Data Protection Regulation (GDPR) is due to come into effect on May 25, 2018, and it is a game changer for companies in Europe and around the world.
Robert Bond, a member of the board of the Society of Corporate Compliance and Ethics and Health Care Compliance Association, and a partner at the law firm of Bristows in London, explains that it is a different regime since it applies both to controllers of data and the processors who manage the data.
Notably, the new GDPR is also extraterritorial, applying to businesses in non-EU countries if they are handling the data of EU citizens. Companies in the US, accustomed to dealing with US requirements and having privacy policies based on US laws, may be in for a bit of a shock and will need to do some work to see how their policies measure up to this new, higher bar.
As Robert explains in the podcast, to start complying, companies need to understand the who, what, when, why, where and how of what data they are collecting, as well as what data they already have. In addition, the more sensitive the data, the higher the ante in terms of complying.
Costs for non-compliance can be as high as 4% of global avenue revenues. Plus, class action law suits are likely to occur, and under the law only need to prove emotional distress, not actual financial loss.
Listen in to learn more, including what companies need to do first to begin complying with the new GDPR.