Updated: Feb 20, 2020
Whilst the business impact of the GDPR will depend on the location of an entity, it’s processing activities and prior compliance framework, the preliminary business impacts of the GDPR include:
¬ Dealing with an expanded definition of personal data to incorporate information such as location data and other identifiable information associated with emerging digital technologies;
¬ Extra-territorial application: The GDPR applies to the processing of EU citizen data irrespective of location;
¬ Compliance with the breach notification requirements where personal data is compromised. The relevant supervisory authority must be notified within 72 hours of a breach (or potential breach) and unjustified delays are subject to penalties;
¬ From a governance perspective, requires organisations to implement Privacy by Design approaches and may be required to appoint a Data Protection Officer (DPO). Privacy By Design will require minimality in use of personal information and anonymity or the use pseudonyms;
¬ As part of increased governance, mandates adequate contracts between so-called data controllers and data processors;
¬ Requires organisations to erase personal data at the request of the data subject (subject to conditions);
¬ Requires organisations to implement data portability facilitating ease of transfer of personal data to another organisation;
¬ Imposes higher fines and more significant financial penalties for breaches and non-compliance; and
¬To enable rights of access, organisations should have processes that enable data subjects to obtain confirmation of whether their personal information is being processed by an organisation and/or a copy of their personal data, electronically, at no cost on request.
The business impact of the GDPR will evolve as the jurisprudence concerning its provisions evolve over time.