A new EU Regulation on the processing of personal data.
Since personal data is any information relating to an identified or identifiable natural person, this Regulation covers any data processing done by a company.
Unlike Directives, EU Regulations are directly applicable in all EU member states, without the need for national laws to transpose them. Hence, a Regulation is automatically part of the law you need to adhere to.
Applicable from 25 May 2018.
Don't fall into the trap of thinking there is plenty of time. The challenges of implementing this Regulation are numerous. In light of the far-reaching consequences, it is essential that you get organized, plan ahead, commit budgets and resources and, above all, ensure timely implementation.
Even if you are located outside the EU.
The GDPR will apply to both EU companies and to non-EU companies that (i) process personal data in relation to the offering of goods or services to EU data subjects or (ii) monitor the behaviour of data subjects occurring within the EU.
Even if you “only” process data on behalf of someone else.
The GDPR expressly addresses the role and responsibility of data processors, i.e. those entities that process personal data on behalf of another entity that controls the data and the purpose for which they are being processed (i.e. data controllers). For example, a hosting provider is a data processor for the company owning the website and a payroll service provider is a data processor for the employer outsourcing payroll services.
Compliance as a competitive edge.
The impressive sanctions and fines for non-compliance with GDPR is one reason to take action. On a more positive note, adapting early to the GDPR requirements is a genuine opportunity to improve your processes and gain a competitive edge by turning compliance into a unique selling point.