Perhaps the hottest new topic in the field of risk and compliance is the EU’s looming General Data Protection Regulation (GDPR). With 100 pages, 99 articles and all manner of still-undefined terms, it is the product of more than five years of legislative deliberations and now two years of preparation for implementation. In many ways, the GDPR stands to redefine the way that privacy and data protection are thought about in organisations around the globe.

Coming into force on 25 May, the GDPR protects the personal data of all “natural persons” in the EU – even non-citizens who happen to be within the territory when their data is collected. Further, its jurisdictional reach is such that any organisation that is marketing to EU citizens, or processing the data of EU citizens, falls under its scope, regardless of where in the world that organisation is located. Further, it introduces and codifies new rights that allow people a great deal more access to, and control of, their personal data as it is collected and used by organisations.

And then there is the risk that comes with not complying with the GDPR: potential fines of €20m or 4 percent of annual turnover, whichever is larger. Clearly, that is some significant risk. There has already been some discussion among privacy professionals and data protection consultants about raising insurance rates to address the liability.

Apr-Jun 2018 Issue

International Association of Privacy Professionals (IAPP)