GDPR is coming: are we ready?

The revolution in information and communication technologies is changing the world at an unprecedented pace. Digitalization, data and analytics are rapidly transforming old business models and processes. Across all sectors and industries, businesses are going digital. Data is becoming a key asset for the economy with more data being created in the past few years than in the entirety of human history.

A set of issues revolving around data protection, privacy and cybersecurity recently come to the forefront of the public discussion in Europe, which has reflected in the evolution of EU’s regulatory landscape. The Directive on security of network and information systems from 2016 is the first piece of EU-wide legislation on cybersecurity, while the ePrivacy Directive and the General Data Protection Regulation (GDPR) provide the legal framework to ensure digital privacy for EU citizens.

GDPR applies to any company, regardless of its size or location, that stores or processes personal data relating to European citizens. With i European Commission aims to regulate how companies collect citizens’ data online, what kind of consent do they need, how long can they keep it and so on. The EU General Data Protection Regulation is the new EU standard for privacy and it will have a huge impact on all companies doing business in the EU. New regime will ensure a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

Stakeholder demands

GDPR raises a number of issues cutting across data economy, ICT regulation, consumer trust, human rights and protection of privacy. Companies need to learn how to adapt to these new regulations but also to the demands of their stakeholders, as consumers are increasingly requesting improved cyber security. Consumers have fears about the inappropriate use of personal information gathered, stored and analysed using ICTs, and want their identities and data protected. There is an increasing demand that companies include cyber security and data protection into their corporate social responsibility efforts.

A number of surveys show that European citizens consistently call for strong protection of the confidentiality of their communications and effective respect of their privacy. Attitudes of Europeans towards data privacy from 2015 Eurobarometer survey are quite telling: 81% of Europeans feel that they do not have complete control over their personal data online, and a large majority of Europeans (69%) would like to give their explicit approval before the before the collection and processing of their personal data. Only 24% of Europeans have trust in online businesses such as search engines, social networking sites and e-mail services. A large majority of the 27,000 respondents to the Eurobarometer survey say that the privacy of their personal information, their online communications and their online behaviour is very important.

As consumers are increasingly concerned about privacy, loss of their trust means lost opportunities and revenues for companies. Recent high-profile data breaches have pushed consumers to escape from companies that did not adequately protect personal data. However, many businesses lack not only the knowledge to adequately manage technological and cyber-risks, but also the skills and competences to thrive in digital aspects of their business.

With the the General Data Protection Regulation coming into force on May 25th, there is little time left to prepare and the main question is – are we ready?

Author: Marina Tomić (The Croatian Institute for CSR)