Data is the currency of today’s digital economy – and the new GDPR will not only protect this valuable resource for both individuals and companies when it becomes law in 2018 but increase innovation and cut costs as well.
According to estimates, the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020 – and business opportunities will only be increased by strengthening and unifying Europe’s already high standard of data protection.
Jan Philipp Albrecht (Greens, DE), who steered the GDPR legislation through Parliament, said: “The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition.” But what are the key things businesses need to know?
- One law for the whole continent – one of the biggest attractions is that Europe will now be covered by one law, applied in the same way everywhere, instead of a patchwork of national ones. Eliminating the need to consult local lawyers in each country a business has dealings or premises will see direct cost savings as well as legal certainty. Savings from dealing with one pan-European law rather than 28 are estimated at €2.3bn per year.
- Regulatory one-stop shop – businesses will only have to deal with one regulatory body rather than 28, making it simpler and cheaper for companies to do business in the EU. They will also profit from faster decisions, one single contact point and less red tape as well as consistency of decisions where the same processing activity takes place in several member states.
- The same rules for all companies – all companies, whether or not they are based in the EU, will have to adher to the same rules when doing business with its citizens, creating a level playing field that does not exist at the moment where European companies are governed by stricter standards.
- Technological neutrality – innovation will continue to thrive under the new rules.
There are also new rights aimed primarily at giving individuals more control over their personal data that will additionally benefit business. For example, the new right to data portability, which allows individuals to move their personal data between service providers without losing, for eg contacts and emails, will take away disincentives to switch which often mean building up again from scratch, meaning start-ups and small companies can compete on equal terms in markets previously dominated by industry giants. This will make the European economy more competitive. New privacy-friendly solutions are also likely to fare well in this climate.
SMEs will also benefit from a data protection reform aimed at stimulating economic growth and allowing them to access new markets by cutting costs and red tape for European business. As well as the measures outlined above, such as one law instead of 28, the obligations on data controllers and processors are adjusted based on the size of the business and/or the the nature of the data being processed, so as to avoid creating unnecessary red tape and a disproportionate regulatory burden for smaller firms. So, for example:
- SMEs need not appoint a data protection officer, unlike larger companies, unless their core activities require regular, systematic and large scale monitoring of data subjects. or they process sensitive areas of personal data such as that revealing racial or ethnic origin or religious beliefs.
- They also do not need to keep records of any processing activities that are occasional or are unlikely to result in a risk to the rights of the data subject
- They will also not be obliged to report all data breaches to individuals, unless these represent a “high risk for their rights and freedoms.”
An essential principle of the new system will be that data protection is private both by design and by default, which will incentivise businesses to innovate and “develop new ideas, methods, and technologies for security and protection of personal data.”
The new rules promote techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.
The use of “big data” analytics, such as driverless cars, which can done using anonymised or pseudonymised data, will be actively encouraged under the new regulation, showing it goes hand in hand with innovative and progressive solutions.
Overall, the new data protection rules give businesses opportunities to remove the lack of trust that can affect people’s engagement through innovative uses of personal data.
Giving individuals clear, effective information about what their data is being used for will help build trust in analytics and innovation for the benefit of all.