Change Practitioner of the Month goes to…The EU!

I’m sure you’ve probably noticed your inbox being flooded with endless streams of emails recently. Companies you’re vaguely familiar with and some you’ve never even heard of, all with the very catchy subject line, ‘We’ve updated our privacy policy!’.

So what’s been going on? Well the biggest shake-up to existing data privacy laws in over a decade took effect on Friday 25th May 2018 when, 2 years after it was first announced, the General Data Protection Regulation (‘GDPR’) came into law in the UK and in all other EU countries. The aim was to introduce greater transparency on the part of companies so consumers know exactly what kind of personal data such companies have of them and for what purposes they are being used.

Accordingly, the Facilitate4Me Change Practitioner for May is awarded to the European Union (‘EU’), for implementing GDPR across Europe.

Brief Background to GDPR

Adopted in April 2016 and implemented in May 2018, GDPR is a sweeping set of rules aimed at modernising existing laws that protect the personal information of individuals. According to the European Commission’s official website, the GDPR is designed to harmonise data privacy laws across Europe as well as give greater protection and rights to individuals.  As a result, these “strong rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field”.

Replacing the previous 1995 Data Protection Directive, this new GDPR implements a variety of strict provisions that seeks to tackle society’s increasing reliance on and obsession with data consumption and data harvesting. Against the constant backdrop of data breaches by global companies, the growing threat of cyber-attacks and the recent scandal regarding Cambridge Analytica, it seems GDPR couldn’t have come at a much better time.

So what’s new? Here are some key changes from the regulation affecting both companies and individuals:

Rights of Individuals (Selected):

  1. Right to be informed: Individuals have the right to be informed about the collection and use of their personal data, which is a key transparency requirement under the GDPR. Companies must provide individuals with information including their purpose for processing their personal data, retention periods for that personal data and who the data will be shared with. This is called “privacy information”, according to Information Commissioner’s Office website.
  1. Right of Access: Individuals have the right to access their personal data, and can do so by making a request to the company holding the data either verbally or in writing.
  1. Right of Erasure: Also known as ‘the right to be forgotten’, this gives individuals the right to have personal data erased, although this right is not absolute and only applies in certain circumstances.


The Impact on Businesses:

  1. Increased Territorial Scope: According to a org article, arguabley the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s actual location. So a company headquartered in the United States for example, but with customers based in the EU are still subject to the GDPR.


  1. Penalties: Companies that fail to adhere to the GDPR could not only suffer reputational damage but serious financial damage as well. The GDPR mandates that any organisation in breach of the rules can be fined up to 4% of annual global turnover or €20 million, whichever is greater.
  1. Consent: Conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

Considering the radical changes this regulation has introduced to data privacy, and most notably the burden the regulation has placed on companies to uphold good data protection practices, many data privacy advocates are calling the GDPR a rousing success. With the implementation of the GDPR still in its infancy, it remains to be seen what practical impact it will have on how companies manage our data and how individuals seek to take ownership of their data. Many are already predicting a rise in litigation cases as a result of future company data breaches for example, but until sufficient time has passed for such concrete evidence to be gathered, Facilitate4Me would like to praise the EU for taking this bold and revolutionary step in introducing GDPR.

Now, back to those emails!


By Ebony Ezekwesili

Share Button