IOT: Powering the digital economy

European businesses are readying themselves for a massive shift in data protection rules

A big shift in data protection is coming

Companies in Europe will have to comply with updated rules on data protection from next May, when the General Data Protection Regulation (GDPR) will start to apply .

The new regulation will update the 1995 Data Protection Directive — introduced at a time when the digital age was in its infancy — and will impact both citizens and businesses.

Giovanni Buttarelli, the European data protection supervisor, told CNBC in an interview that it was "time for a new culture in terms of data protection."

The changes that will come with the GDPR are significant. Among other things, it will boost people's right to be forgotten and guarantee free, easy access to personal data.

Organizations and businesses will also have to inform people about data breaches that could negatively impact them, and do this "without undue delay." Relevant data protection supervisory authorities also need to be informed.

The European Commission (EC) has said that a new single law on data protection will replace "the current inconsistent patchwork of national laws." Businesses, it says, will be able to deal with one law rather than 28, with the financial benefits estimated at 2.3 billion euros ($2.74 billion) per year.

For Paul Clarke, chief technology officer at online grocer Ocado, the issue of customer data is an important one.

"Privacy and security are very, very important topics for our customers. But at the same time, what's also important to them is to be able to shop with ever-increasing levels of personalization, with greater convenience," he said.

"There's a kind of balance to be struck between using data responsibly but harnessing it in order to deliver what customers want."

At bookseller Waterstones, managing director James Daunt said that the new regulations are being introduced at an opportune time for his business. Its answer to GDPR, he said, has been to invest.

"We happen to be at a stage of the investment cycle when we really need to invest in this, and therefore can re-launch our loyalty card, re-launch our apps, re-launch, effectively, the way in which we keep people's data and the permissions we have and the rules around how we're going to use that," he said.

This was, Daunt added, "effectively renewing the compact [contract] that we have with our customers."

European data protection supervisor Buttarelli said that retailers would be treated like "responsible adults." When breaches occur, sanctions would be "extremely severe" — up to 4 percent of the annual worldwide turnover.

Follow CNBC International on Twitter and Facebook.