Users will be able make compensation claims
The regulation will allow users to claim damages in the instance of data loss as a result of unlawful processing, including collective redress, the equivalent of a US-style class action lawsuit. Senior management will need a good understanding of what kind of impact this would have on their business. Not only can legal damages be incredibly costly from a financial perspective, they also represent further reputational damage as cases can carry on for years and keep the story in the public eye throughout this time. Sony, for instance, is currently facing seven class action lawsuits following last year's hack. The public will be reminded of Sony's security failings again and again.
There are tighter rules on transferring data on EU citizens outside the EU
Even if sharing is allowed (however legitimate the data controller thinks this is), the directive currently prohibits personal data from being transferred outside the European Economic Area (EEA) unless the controller assures an adequate level of privacy protection (the adequacy requirement).
When negotiating with a cloud provider, pose the question of whether they are allowed to move data between countries as part of the contract, whether they have to inform you of such a move or can only do so at your request. Get visibility into the CSP's HQ and data storage facilities (don't assume it is the same) and also any countries where they employ people who manage the service. Furthermore, whereas the directive allows a data controller to decide if a third-party provider is safe, under the regulation, only the commission can do so.
Harmonised user request rights
Under the directive, users already have the right to see the data collected about them. However, each country currently defines how data controllers should respond (the UK allows 40 days) and in the new regulation the deadline will be harmonised, probably to 20 days.
New erasure rights
In the new regulation, users can also demand that their data be erased. This may sound straightforward but it's not always that simple. If a person said they wanted to be removed from one of your databases, how would you go about doing so? Would you have to remove data from multiple systems? Are syncing protocols in place that would make doing so difficult? Do you have processes now for this and how would you remove contact information from individual databases or spreadsheets? These are questions that need answering now, not after the regulation comes into play.
It is your responsibility to inform users of their rights
Under the new regulations, controllers must inform and remind users of their rights, as well as documenting the fact that they have reminded them of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more stringent than the current directive and companies that fall foul of these measures will face larger fines.
Sign up for CIO Asia eNewsletters.