Member-only story
GDPR — How Data Can Cost 4% of the Turnover — Explained Simply™
On 25 May 2018 an important law — GDPR, came into force with little awareness in the C-Suite and the Boardroom. The General Data Protection Regulation (GDPR) aims to harmonise privacy laws across European Union (EU) and protect EU citizens’ rights to privacy.
The main idea behind GDPR is to boost EU citizens protection in relation to personal data. Personal data can include name, address, location, online ID, income and much more. EU Commission states that only 15% of individuals felt they have complete control over their data. This can impact a lot of people’s willingness to engage in online activities and propel the digital economy.
GDPR also is beneficial to businesses. It allows companies operating in more than one country to deal with a single law related to data privacy. Before the introduction of GDPR, the cost of dealing with 28 different Data Protection Authorities was estimated at €130 million. In addition, the economic benefits of a single law are estimated at €2.3 billion.
While GDPR is enacted in EU, it is not EU-centric. Its effects are much broader and apply to organisations around the world. GDPR is quite explicit in its intent that it covers not only organisations based in EU. Article 3.1 states that if an organisation is processing personal data, regardless whether the processing is within the Union or not, GDPR will apply. Thus, any organisation, no matter where it resides, processing EU citizen data, is covered by GDPR.
Some experts argue that GDPR applicability is limited, because of “… processing of personal data of data subjects who are in the Union …” However, consider the following scenario:
You’re a senior executive in a Council in Australia. According to the latest figures from Australian Bureau of Statistics, 6.7 million people in the country are born overseas. Thus, it’s almost a certainty, that in your Council area there will be residents who are EU citizens. If they never travel back to EU, there is no problem. However, if they decide to spend 6 months visiting relatives and a data breach occurs in Council’s systems, is GDPR applicable or not?
Ultimately, this is a question that only a lawyer can answer or it may be decided in court. But the latter is…
