The European Union’s new General Data Protection Regulation will go into force May 25, after six years of preparation. It replaces the Data Protection Directive 95/46/ EC and was designed to harmonize data privacy laws across Europe, protecting and empowering all EU citizens. 

The rules will apply to all companies that collect the personal information of individuals in the EU, whether the business is based in the European Union or not, and the fines for noncompliance will be extremely onerous.

The main challenge for corporations will be assessing their current information collection and storage systems against the new regulations and ensuring compliance before the deadline. Accountability is critical, and concepts such as pseudonymisation will become commonplace under the new regulations.

In addition, the cross-border transfer of EU residents’ data outside the region will be become much harder. The EU Commission will assess third countries’ level of protection by carrying out "adequacy" assessments binding to all member states. They will then carry out reviews every four years to ensure continued compliance.

Any businesses that collect sensitive personal information will need to carry out and regularly update gap analyses, data protection impact assessments, privacy audits and data breach roadmaps in order to stay on the right side of GDPR.

This series aims to highlight the profound level of impact this new GDPR legislation will have on organizations. Nine data protection experts from from Germany, Belgium, The Netherlands, Italy, U.K., U.S., Luxembourg, Sweden and France discuss how they are helping their clients reach GDPR compliance and emphasize some of the structures businesses should put in place to avoid a crippling fine.

What opportunities/challenges does full compliance with GDPR represent for non-EU businesses operating in your jurisdiction?

Sweden — Anna Fernqvist Svensson
I think it will, of course, increase trust and positive PR, as well as ensure avoidance of high fines, which can be charged. Companies can also introduce more efficient practices. With regard to cross-border operations, from a Swedish perspective, it will be more or less the same arrangements under the GDPR as we have now – i.e., the same rules.

France — Alexander Roth
We mostly have EU-based clients. Germans have always been more stringent on data protection regulations, and our French clients have always suffered from misunderstandings, sometimes operating under the belief that if they comply with French privacy laws, then they would be compliant with those in Germany. This always ends up in litigation or long hours of negotiations to exit or remodel complicated contracts.

I believe this is an opportunity for businesses to increase efficiency in cross-border commerce, enhance reputation and image in matters of compliance, and improve dealings with partners in other countries. There are also higher fines, which are a good incentive to comply. The fines that our national regulatory authority were able to issue were capped at 180,000 Euros, which, compared to the 4 percent of annual global turnover for GDPR, is a big gap.

Luxembourg — Cecile Porcher
According to us, the GDPR has two main advantages. The first one is, of course, that it unifies everything: The harmonization between EU countries will simplify EU relationships and avoid the kind of issues Alexander refers to. The second advantage is that companies complying with GDPR will generate confidence for their clients.

As far as challenges are concerned, I see one coming due to the fact that GDPR concerns data belonging to EU citizens, whether or not the receivers of this data have a branch in the EU. With regard to the future, there is likely to be a far higher obligation around data protection and there will be also be conflicts with the national regulations and/or interests of non-EU countries which might lead to a renaissance of what happened in 2012 regarding Microsoft and Yahoo in the U.S.

Belgium — Steven de Schrijver
The GDPR will be applicable to any use of personal data taking place either as a result of the offering of any goods or services to individuals located in the EU or during the monitoring of the behavior of EU-based individuals. The GDPR’s focus on the location of the data subjects, rather than on where the data controllers are incorporated, has significantly widened the territorial scope of the EU’s data protection legislation. As a consequence, any worldwide business with customers located in the EU will be subject to the GDPR in respect to those customers.

As such, the location where data processing equipment is held is no longer a determining factor for the applicability of the regulation, and multinational companies cannot bypass the protection offered by the GDPR by locating their infrastructure outside the EU. They will have to comply with the legal rules of the GDPR as well, or otherwise face its legal sanctions (i.e. fines up to 20 million EUR or 4 per cent of annual global turnover) in case of non-compliance. 

The Netherlands — Bart Sujecki
There might be an opportunity for non-EU companies to show they are compatible with the regulations and, by doing so, they could increase their business in The Netherlands. What might happen, is that certain U.S. or non-EU companies might establish branches here that fulfill requirements and use those for the EU market, so they can split their services for non-EU and EU clients; we will see how it develops.

Germany — Kathrin Schürmann
From my point of view, there are significant challenges around full compliance for non-EU clients. This is a lot of work for them, but on the other hand it’s also a good opportunity to review their own processes and handling of personal data.

This is an opportunity for those clients to clean up their processes and get a better overview of their operations. It also allows them to be more compliant, and it is a good opportunity for them to gain more client relationships in the EU, by being compliant with GDPR.

Of course, we do have the EU-U.S. Privacy Shield and standard contractual clauses, but nevertheless if a German company has to negotiate with the data protection authorities in Germany, they always point out that it would have been better and more compliant to work with a company based in Europe. So, compliance with GDPR is a good opportunity to address this kind of problem for non-EU firms.

Italy — Ruggero Rubino Sammartano
There are multiple opportunities and challenges depending on the perspective from which you see the GDPR. In Italy we had a very detailed Data Protection Act, dated 2003, which was well received and implemented by many companies located in Italy. Now, though, it is time to update and improve it in line with GDPR. Companies that are already compliant can simply fine tune and others can follow suit.

The costs for implementing a performing data protection system in Italy are reasonable, compared to other EU member states. Once the system is in place in Italy, it may be adopted by foreign subsidiaries, subject to local customization. Following strict rules, although not mandatory, shows the strength, fairness and integrity of a company.

US — William Shawn
We may see a migration of data from the U.S. companies to European service providers, able to store personally identifiable information within the EU to make their life easier. Many U.S. companies are confused about the jurisdictions and many think that if they do not have any physical business in the EU then it doesn’t apply. What they don’t realize, especially in online business, is that if they are collecting personal information from EU subjects, then they have to comply. We will also see some migration to service providers in the business of serving multiple companies, and there is a provision for that in the legislation.

England and Wales — Kerry Beynon
In terms of the challenges faced by non-EU businesses wanting to operate in the EU, it’s largely about overcoming the new found reluctance to engage with providers outside the EU because of perceived restrictions under the GDPR. Many people now want to make sure their data centers are within the EU, so they are not facing questions about GDPR transfer of data requirements. There is an opportunity though, if you are American company for example, and you can show you are compliant, you can enhance your reputation significantly. It’s a double-edged sword.

photo credit: Move The World via photopin (license)