Important Changes under the New EU General Data Protection Regulation (EU GDPR) | GBAF

Important Changes under the New EU General Data Protection Regulation (EU GDPR) | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > THE TOP FIVE THINGS YOU NEED TO KNOW ABOUT THE EU GDPR

THE TOP FIVE THINGS YOU NEED TO KNOW ABOUT THE EU GDPR

Published by Gbaf News

Posted on February 26, 2015

5 min read

Last updated: January 22, 2026

hdpzzzz

By Jonathan Armstrong, data regulation adviser for Absolute Software and lawyer at Cordery

Back in 2012 the European Commission (EC) revealed its plan to completely revamp the 1995 EU data protection law, bringing it out of the Stone Age and making it fit for the 21st century. Every two days we create more data than ever existed before 2003. Businesses and consumers expect data to be accessible wherever and whenever they want. With the increasing adoption of sensor driven technology, cloud computing, BYOD and a whole host of other advances many feel that the old 1995 legislation needs, at the very least, a refresh.

In 2012 the EC finally published the long-awaited proposals for the new EU General Data Protection Regulation (EU GDPR). Although this regulation is still only in its draft stage and is not expected to come into force before 2017, it is imperative that businesses are aware of what’s on the horizon so that they can start preparing for the colossal upheaval the regulation will cause. To help companies ensure they’re not caught off-guard by the pending regulation, here are five of the most important changes they need to be aware of:

The regulation will apply across Europe

Not only will the new law apply throughout the EU, but also to organisations based outside of the EU that are active in the EU market and offer services to EU citizens. So, even though a US company may have all of its offices based in in the US, if it handles the data of EU citizens, it can still be investigated, fined and even prosecuted by an EU Regulator for data loss and misuse.

Companies are liable to fines of up to two percent of their corporation’s annual global turnover

There are increased sanctions including fines of up to €100 million or up to two per cent of annual global turnover – whichever is greater. Compared to the current maximum fine in the UK of £500,000 from the Information Commissioner’s Office, the new law will dramatically raise the stakes. However, a fine may be avoided if a company can prove it had data policies in place, provided suitable education to employees, and used the correct technology software.

Companies will have to notify those whose data has been breached

Unless a company can prove that it has technology in place that leaves a lost device inoperable or completely wipes the data contained on it, it will have to notify those involved in a potential data breach. So, if 100,000 customers’ data is lost, via a lost employee phone for example, then a company will have to tell all of them that their data may have been compromised. This can lead to significant brand damage, litigation and media reporting of the incident, as well as leading to significant cost in contacting the people affected.

Organisations must notify the authorities about data breaches as soon as possible

The draft Regulation states that ‘if feasible’ companies should report a data breach within 24 hours. While it could be in the best interest of the business to report a breach within 24 hours, this is easier said than done. An employee may lose their device on a Friday evening and only report it on Monday morning or may be completely unaware that they’ve uploaded data onto the cloud for all to see. Breaches also take time to deal with. Most people would rather an organisation spent the first hours after discovering a breach fixing it rather than preparing reports and completing other less essential tasks.

Companies with 250 or more employees have to employ a corporate data protection officer

Enterprises of a certain size will need to hire someone who’s responsible for data protection. In the past, a few different people may have had some data protection training within their company but there may not have been a particular person who was directly responsible for data breaches. Now, companies will be obliged to appoint a properly trained data protection officer. And with the penalties set that much higher, it is advisable for businesses to seek out sound legal advice before choosing the correct candidate.

While we don’t know for certain the exact provisions of the EU GDPR, we do know that it is going to bring about considerable consequences to organisations across the globe. As we get closer to the official launch of the legislation, there will be two types of business; those that will only start making changes to their data protection policies once the law comes into force, and those who are already preparing for it. The latter, of course, has the upper hand. By clarifying data protection policies, educating employees, employing technology software, and for those larger organisations, hiring a data protection officer, all the right boxes will start to get ticked.

Of course, data breaches can still happen, but by proving all of these steps are imposed; companies can avoid the gargantuan fine. 2017 may seem a long way off, but the smart organisations will start seeking the correct advice and take action now, to ensure full compliance once the regulation comes into force.