Europe’s new legal framework for data protection goes into effect in less than five months. Known as the General Data Protection Regulation (GDPR), it will affect a multitude of companies worldwide.

In fact, every company that collects data on citizens in Europe will need to comply with strict new rules around customer data beginning May 25.

Bracing for GDPR

So what’s a business with data on European citizens to do? The answer is obvious: Act now.

“With GDPR just around the corner, it is critical that organizations do not delay or ignore compliance as it could have costly repercussions,” warned Fouad Khalil, vice president of compliance at SSH Communications Security.

Large organizations could face significant budgetary, IT, personnel, governance and communications implications, he added.

Holistic Data Framework

The GDPR defines a broad set of rights and principles governing the protection and use of European Union (EU) citizens’ data, regardless of the physical location of that data. The UK also plans to implement the GDPR despite Brexit.

The new legislation replaces the Data Protection Act 1998. It shifts the burden to protect data to businesses and empowers individuals to take control of their data. It also imposes hefty fines on those who fail to meet the new standards.

The GDPR ushers in a host of new standards and protocols. For example, companies can only use data for specific purposes. That means companies are not only required to keep personal data secure; they must also keep the data private — and protect it from all forms of unauthorized access.

Right To Be Forgotten

Data subjects have extended rights under the GDPR, Gartner noted. These range from the right to be forgotten — that is, the right to have their data records deleted — to data portability and the right to be promptly informed of data breaches.

This can be challenging for businesses. To start, the GDPR has a broad definition of personally identifiable information. Obviously, it includes such things as names, email addresses, credit card numbers, Social Security numbers and passport numbers.

But it also includes genetic or biometric data that can uniquely identify a person, including photos, fingerprints, voice recordings and signatures — and even social media posts or descriptions of EU citizens.

First, businesses must understand what they need to delete. Then it has to find that data. That means checking through multiple systems — from its customer relationship management and marketing automation systems to its digital asset management and social media feeds.

It isn’t easy to erase digital footprints.

Data Portability and Breaches

The GDPR gives European citizens the right to ask companies to give them all of their personal data. The companies have to deliver the data “without hindrance.”

They also have to deliver it free of charge, and in a format that is easy for people to access and use.

A person might make such a request when he ends a relationship with a business such as a doctor or a bank. Today, businesses don’t always give such requests priority. And, in some cases, they charge customers fees for their data. But the GDPR will mandate data portability.

Under the GDPR, businesses will also have a duty to report data breaches within 72 hours. Failure to do so could result in a fine, as well as a fine for the breach itself.

In some cases, businesses will need to contact individuals whose data was obtained because of a breach. “Having sufficient procedures in place to effectively detect, report and investigate a personal data breach is paramount,” said Vincent Vandendael, Chief Commercial Officer at Lloyd’s.

Weighing the GDPR Costs and Risks

Clearly, there are challenges ahead. Forrester predicts 80 percent of firms affected by GDPR will not comply with the regulation by the time it takes effect next May.

“Of those noncompliant firms, 50 percent will intentionally not comply — meaning they have weighed the cost and risk and are taking a path that presents the best position for their firms. The other 50 percent are trying to comply but will fail,” Forrester predicts.

Forrester identified possible hidden risks for companies in 2018. For example, consumer advocate groups might use the GDPR’s “right to be forgotten” clause to challenge companies. This could exhaust company resources and damage brands.

Reason for Optimism?

While there are clearly unknowns and trepidation ahead, there are also hints of optimism.

Rachel Aldighieri, managing director of the UK DMA (Direct Marketing Association), called the GDPR “a unique opportunity for business transformation and to forge new relationships with customers based on trust.

“Those organizations that put creativity at the heart of a customer-centric approach, not simply viewing the new laws as simple a legal issue, will thrive in this new environment.”

About Arke

Atlanta-based Arke develops strategies and implements digital technologies for better brand experience for your customers.