Data protection in the European Union is about to undergo a big shake-up.
From May 25, businesses will have to comply with the General Data Protection Regulation (GDPR). The legislation will update the 1995 Data Protection Directive — introduced at a time when the digital age was in its infancy — and will impact citizens as well as companies.
On its website, the European Commission states that a new single law on data protection will replace "the current inconsistent patchwork of national laws." Businesses, it explains, will be able to deal with one law rather than 28, with the financial benefits estimated at 2.3 billion euros ($2.85 billion) each year.
Among other things, the GDPR is set to boost people's right to be forgotten and guarantee free, easy access to personal data. Organizations and businesses will also have to inform people about data breaches that could negatively impact them, and do this "without undue delay." Relevant data protection supervisory authorities also need to be told.
"We are yet to see exactly how these rules would be applied in courts, but many things will change including, for example, the regime on consent, so the conditions under which you will have been seen to give acceptable, informed consent for the use of your data," Damien Tambini, from the London School of Economics and Political Science (LSE), told CNBC.
"The ability to share data across organizations, the right to be forgotten, will actually be written into law," Tambini, an associate professor at the LSE's department of media and communications, added.
This would include the ability to erase data, Tambini said, as well as rules surrounding data portability. "In order to, for example, promote competition between social networks, you will have the right to take your data out in a machine-readable form and use it in another social network."
The Oxford University Press (OUP), a publishing house that is hundreds of years old, is one of the businesses that will be affected by GDPR.
"These are some of the most aggressive regulations around privacy and data protection that we see globally right now," the OUP's Casper Grathwohl told CNBC.
"Our approach to this has been to try to implement a programme that fits those requirements around the world," Grathwohl added. He said that if the business was meeting requirements for GDPR, it would most likely be compliant in all of the markets it operates in.
"That can change and so it's why we need to keep paying attention and making sure we're responding as different countries and different regions start to develop and evolve, and their regulation evolves," Grathwohl said.
Right now, the OUP is adhering to a GDPR standard that looked like it was effective as global policy, he said.
