The General Data Protection Regulation (GDPR), voted through earlier today, will extend the right to be forgotten to all areas of online life, allowing consumers to request that their social media profiles are deleted entirely. It will not, however, affect news articles.
The new laws won't be finalised until later this year, or take effect until 2018, but the impact on businesses could be massive.
Under the new rules, any company which holds Europeans' data – not only those based within the EU – will have 72 hours to report a data breach. They will have to explain in their privacy policies exactly how customer data will be used. Large companies will also be forced to appoint a data protection officer and conduct data protection impact assessments.
“The data protection impact assessments will require companies to formalise their documentation showing exactly what they are doing with customer data and who can access it,” says Sachiko Scheuing, European privacy officer at Acxiom. “If not in terms of budgetary investment, firms will need to take time to plan for this major initiative.”
Companies which don't comply with the new legislation face a fine of up to 4 per cent of their annual global turnover, or €20m – whichever is greater. But the legislation is onerous and it may take time for firms and regulators to fully understand its implications.
The GDPR is intended to replace existing data protection laws drawn up in 1995, before the internet was adopted on a wide scale.
Some digital businesses have welcomed the new legislation. “It is laying the foundation for the future of the digital economy, which is developing at exponential pace, and requires regulation to operate efficiently,” says Ben Walmsley, regional vice president for Northern Europe at Sizmek, an adtech company.
“It signals the maturity of the digital industry by respecting a consumer’s right to be in control of how their data is used. Standardising rules across the EU is a good first step in creating a consistent framework for companies to adhere to.”