Rowan Legal

In May 2018, the new General Data Protection Regulation, also known as the GDPR, will come into force. By this date, all companies should already be prepared for the regulation and all necessary changes should already have been made.

Although it may seem like there is still plenty of time left, companies need to start thinking about the GDPR while preparing their budgets for the next fiscal year. The implementation of the necessary changes may be a rather lengthy process, which will call for a thorough assessment of ongoing data processing, security measures, relevant internal regulations and the actual functioning of the company itself. This process needs to be started in 2017 already; therefore, companies should keep it in mind now and allocate sufficient financial means to it during budgeting. Should companies begin the implementation only at the beginning of 2018, there is a real danger that they might not be able to manage it in time. The risk of non-compliance in such case is rather high as sanctions may reach a maximum of EUR 20 million or 4% of global annual turnover.

So, what changes will the GDPR bring about? The regulation is a complex piece of legislation that will replace the current Data Protection Act. First of all, the regulation changes the conditions for obtaining consent to data processing and imposes an obligation to review all consents already obtained, as regards to whether they were obtained in accordance with the new conditions. New requirements for communication with individuals will also call for the modification of many different documents, such as Privacy Policies, General Terms and Conditions, consent forms, etc. Alteration of various processes and in many cases also the implementation of new technological solutions will be required in order to comply with the new rights of individuals, such as the right to the erasure of data or the right to data portability. The GDPR also increases requirements regarding data security and data processing outsourcing. All companies will also have to be prepared to conduct various risk-based assessments, which are part of many obligations under the regulation. Particularly demanding may also be the new obligation to notify data breaches, which will require the implementation of efficient internal reporting, investigating and incident solving mechanisms.

How high are the costs of implementation going to be then? The amount that companies will have to invest will differ substantially depending on many factors. For example, the preparation will be more demanding for companies that process sensitive data as the regulation gives such data higher protection through stricter rules. The size of each company will also play a role because only the initial assessment of the ongoing processing might prove expensive for large companies with extensive data processing activities. The necessary amount will also be heavily influenced by the question whether the company already has some sort of privacy programme in place. Building on an already existing foundation will certainly be much easier than building an entire compliance system from scratch. The last important factor will be the potential need for investments into IT systems. The regulation sets quite high standards with regards to technical data security measures and many other obligations will also call for some changes in IT systems. Given the fact that such investments tend to be especially financially demanding, budgets might grow substantially as a result.

The number of necessary changes is therefore high and the implementation in general will be burdensome, both financially and time-wise. The key to success in this case is the early initiation of preparations and the allocation of sufficient resources. Companies should not think they will be able to manage the implementation during the early months of 2018, and GDPR implementation should be included in the budget for 2017.


IT Law Firm of the Year for 7th time! The turbulent seas of IT legislation in 2016