Qualified rights to be forgotten and more power to object to the ay data is processed
The first list is a lot longer than the second but that's no guide to the long-term implications. Too many companies have grown used to collecting data as if it's a riskless part of their business, a mere data management headache. Once the GDPR gets into full sing it will start to become apparent that collecting data now comes with legal risks that dwarf the old IT assumptions.
The sort of data breaches that afflicted UK companies in 2015 would, if they occurred in the future, no longer be simply embarrassing clean-up jobs but financial and legal minefields opening shareholders to major losses. Take TalkTalk's embarrassing series of data breaches as an example. The company claimed its loss-of-business and clean-up costs for the incident were around £35 million ($50 million). Under the GDPR they might have faced an additional £70 million fine and the possibility of legal action by customers. There would also be the possibility of further follow-on fines for repeat offences.
It'll be three years before GDPR bares it teeth and companies will face major logistical challenges getting a grip on their data, especially unstructured data scattered hither and thither. Fortunes will be made making all this tick over. But disaster awaits companies that misunderstand what's going on here.
The GDPR isn't something they have to understand, spend a bit of money on, and move on. It's here for good. Personal data will never be the same again.
Sign up for CIO Asia eNewsletters.