By May 25, 2018 companies that collect data on citizens across all 28 EU member states will need to comply with strict new rules protecting customer data with the introduction of the General Data Protection Regulation. This dictates that it will not be allowed by law to collect data on:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
This is good for consumers as there are clear rules with respect to their data and it is also good for companies as they only need to comply with a single standard within Europe. However, the requirements to meet and administer the standard will require most companies to invest heavily. The large US companies that deal with data are expecting to have to invest significant amounts to meet the new standard. According to the PwC survey, 68 percent of US-based companies expect to spend between $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million leading to some complaints that it will put them at a competitive disadvantage with European Companies. As European companies need to abide by the same rules it is not entirely clear where this disadvantage comes from except that the GDPR regulates the exportation of personal data outside of the EU and many US companies have data centres and support staff in the US.
So what does this mean for companies? The GDPR requirements will force companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies must erase personal data upon request enshrining the concept of the “right to be forgotten”.
So the good news is that from May 25 2018 we will get a bit more privacy - the question is how many companies will be ready to meet the new regulation when it is introduced?