The EU new data protection rules may impact everyone.

Every entity that holds or uses personal data of Europeans, even outside the EU is concerned. Every Business or Organisation is affected by the European Union data protection rules. These rules are compeled in the General Data Protection Regulation which was adopted in December 2015 and shall be effective in the 28 Member States in 2018. The last step has been the approval of the final text by the EU Parliament in January of this year. The text replaces the old data protection directive (1995), old fashioned and not adapted to the 2.0 society.

An important element of the General Data Protection Regulation is that it does not only give birth  to increased compliance requirements, but also to heavy financial penalties, which in the final version of the text turns out to be up to 20 million euros or 4% of annual worldwide turnover for groups of companies. Moreover, this Regulation is directly applicable very single Member State of the EU. National Courts and Triwill consequently be able to apply the Regulation provisions directly, such as Data protection national authorities.

The fines apply to infringement’s of the basic principles for processing, including conditions for consent, data subjects’ rights, the conditions for lawful international data transfers, specific obligations under national laws permitted by the General Data Protection Regulation, and orders by data protection authorities including suspension of data flows.

International organisations are likely to take these fines seriously, even huge firms such as Google, Facebook, Apple and Microsoft because non-compliance could potentially result in fines of billions of dollars.

Companies and Organisations will have to adapt their strategy  to comply with the Regulation. At this point, we can suggest them to map and classify all the personal data they possess and then design privacy protections in their business operations and even hire personal data protection experts or officers. Companies sued in front of national Courts and Tribunals will have to produce these elements : they have to be ready to achieve legal compliance.

The new transparency framework will require entities to re-think how they engage with people, including their contracting and permissions processes and how they give clear and full information on what is happening to personal data.

When a breach of security or confidentiality arises, entities will have to notify the incident to the regulators. In serious cases, they will have to notify the people affected.

The new enforcement, sanctions and remedies framework will give regulators unprecedented powers to intervene in business and shape how entities conduct their operations, including the power to impose heavy fines.

Individuals will be able to exercise a “right to be forgotten”, a “right of data portability”, enhanced rights of access to their data and enhanced rights to demand the end of use of their data.

They will also be able to sue entities for compensation, if they are distressed by acts of non-compliance.

In order to understand clearly which provisions and obligations are at stake, please find below a link towards the European Data Protection Regulation :