Multinationals that have some form of operations within the EU will be majorly affected by the new General Data Protection Regulation, making it not too much of a surprise that almost 40% of multinationals saw regulatory risk as one of the biggest rising risks in our Risk and Confidence Survey.
The GDPR will introduce a single legal framework that applies across all EU member states, and will result in greater harmonisation which is likely to be a positive change, with a more consistent set of data protection compliance obligations from one EU member state to another. However there are other major changes that will also come with it.
In what will be a major upheaval to many multinationals there will be expanded territorial scope for the new Regulation. This means that many non-EU businesses that were not previously required to comply with the Data Protection Directive will be required to comply with the GDPR, post implementation.
Non-EU data controllers and data processors will be subject to the GDPR if they either offer goods or services to data subjects in the EU, irrespective of whether payment is received. They will also be subject if they monitor data subjects’ behaviour, insofar as their behaviour takes place within the EU.
US Organisations will be able to certify their compliance with Privacy Shield Principles, which will authorise them to receive personal data from EU data controllers. To do so, US organisations must commit to the US Department of Commerce that it will adhere to the Privacy Shield Principles, and secondly it must publicly declare its commitment to the individuals to process data in accordance with the principles. In addition, the organisation must publically disclose its privacy policy and actually implement the principles.
Another way multinationals could be affected by the changes is in GDPR’s increased enforcement powers. Currently, fines under national laws vary but are comparatively low, but the GDPR will significantly increase the maximum fines. The fines imposed could be up to 4% of annual worldwide turnover of the proceeding financial year or 20 million euros (whichever is greater).
But it’s not all bad news for multinationals; under the Data Protection Directive, each national supervisory authority (SA) could exercise authority over businesses operating in its territory, but under the GDPR a business will be able to deal with a single SA as its lead supervisory authority across the EU. This lead SA will be responsible for all regulation of cross-border processing activities carried out by businesses in their jurisdiction.
Positive or negative, the GDPR will come into effect on 25th May 2018, and multinationals need to be prepared.
Hamish McBride, Head of Multinational Claims
Download our Risk and Confidence Survey at http://www.cnahardy.com/pulse