The EU is reshaping the regulatory landscape, but smart companies will do more, say Brunswick's Peter Lindell and Annalisa Barbagallo
In 1995, a tiny company called Cadabra, deciding its name sounded too much like “cadaver,” settled on a new one: Amazon. It sold books online and filled orders out of a garage. That was the same year the European Union adopted the Data Protection Directive that regulated personal data privacy.
While Amazon went from garage-based startup to a market capitalization of more than $300 billion, the directive was not as successful. Its principles were interpreted and enforced differently across the EU, and they were also challenged by profound changes in technology and the explosive global development of companies such as Amazon.
Two new pieces of legislation, the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS Directive), are poised to modernize and standardize Europe’s laws on data privacy and cybersecurity. Their reach could even extend beyond European borders, and potentially apply to companies outside Europe whose customers include EU citizens.
These laws will affect the way companies collect and protect consumer data, and change the extent to which European governments can regulate – and punish – businesses. Companies breaking these rules will face fines as costly as 4 percent of their global revenue or €20 million ($22 million), whichever is greater.
While the new regulations are significant for their scope and severity, they point in a direction where many companies are already headed. As these organizations have realized, there is no need to wait for regulations to create robust cybersecurity policies or to be transparent with customers about how their data is being used and protected.