The EU’s data protection laws have long been regarded as the gold standard in the protection of personal data.

Over the last 25 years, technology has transformed our lives in ways nobody could have imagined, so a review of the rules was needed. Following four years of discussion and debate, in 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the 1995 Data Protection Directive which was adopted at a time when the internet was still in its infancy.

The most significant change to rules governing data protection comes into effect in May 2018, carrying fines of up to four per cent of global turnover or €20 million, whichever is higher, for businesses that do not comply. The GDPR in conjunction with the EU Commission’s data protection reform is intended to boost the digital single market. The data protection reform strengthens the right to data protection, which is a fundamental right in the EU, and allows people to have trust when granting access to their personal data.

Most notably, these include consent, easier access, right to data portability and a clarified right to be forgotten.

With regards to the consent of a data subject for the processing of personal data, this consent must be given freely and be specific, informed and unambiguous. Individuals will also have more information on how their data is processed and this information should be available in a clear and understandable way.

It will be easier to transfer personal data between service providers

Data subjects will also have a right to data portability – it will be easier to transfer personal data between service providers. Also, when one no longer wants one’s data to be processed and where there are no legitimate grounds for retaining it, the data has to be deleted.

Moreover, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.

From a business perspective, the GDPR is not just a threat but also an opportunity. In an age when personal information is a key asset and a business driver, getting your privacy strategy right as an organisation could furnish you with a competitive edge. Complying with the GDPR is about defining, implementing and then sustaining compliant processes.

Post-2018 you will be required to demonstrate, on an ongoing basis, how you collect, use, retain, disclose and destroy personal information in line with the GDPR requirements. This impacts everything you do relating to personal information and therefore constitutes a significant transformational activity for your organisation going forward.

GDPR has to become business as usual: it is all about embedding the GDPR’s accountability principle. This requires you to demonstrate the manner in which your organisation complies with the principles, for example, by documenting the decisions made about a processing activity. The GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”.

Reaching and maintaining a state of accountability will provide you with greater control over data you process, allowing you to become more productive rather than merely complying with the GDPR. With the assistance of the right experts, it will give you confidence that you can meet data privacy regulations around the world and, at the same time, put you in a position of strategic and commercial strength.

Antoine Demicoli is a senior manager at KPMG in Malta and has written his LL.D. thesis on data protection.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.