The proposed General Data Protection Regulation which is currently proceeding through the European legislature seeks to harmonize data protection law across European member states, is significantly more prescriptive than Directive 95/46/EC, and would introduce widespread data protection changes as well as greatly increased financial sanctions for noncompliance. These changes are likely to raise significant challenges in regard to data protection compliance for all businesses (regardless of the location of their establishments) that operate or provide goods and services within the European Union (EU).
Despite the challenges, the draft regulation offers businesses certain benefits, including consistency and the potential to achieve cost reduction in the area of data protection compliance. However, for businesses to avoid severe penalties and potential reputational damage, the regulation does require businesses to take compliance seriously and combat the challenges mentioned. To ensure compliance with the draft regulation once it comes into force, companies must implement adequate policies, procedures, and processes to comply with the changes the regulation introduces. The details of the changes—and the challenges they present for organizations—represent a significant departure from the current system and require additional action to achieve compliance and organizations based outside the EU will have to apply the same rules.
This paper outlines the changes, challenges and benefits of the proposed regulation and the changes companies must implement to their policies, processes and procedures before the regulation comes into force, specifically, multinationals with complex business models and global presences, to avoid potential financial and reputational penalties.