The European Union has introduced new data protection laws that will have implications for many Bermuda companies that do business in the 28-country bloc.

The new General Data Protection Regulation, which was approved by the European Parliament last week, is aimed at giving citizens more control over their personal data while forcing companies to take data protection more seriously.

The law will take effect in the summer and organisations will have two years from then to comply. Fines for breaking the rules will be potentially huge — up to four per cent of a company’s global revenue per infraction. It will apply to any company that handles EU citizens’ data, wherever in the world it is based, potentially creating a new challenge for some Bermudian international businesses.

One Bermudian technology company, which has been preparing for this change for the past three years, is now well placed to benefit from it.

Trunomi, led by founder and chief executive officer Stuart Lacey, specialises in solutions for creating, sharing and monetising data and for solving data privacy issues.

Mr Lacey said Trunomi’s Right Management over Data Sharing plus TruCert was built to solve the issues for organisations created by GDPR. The arrival of the new regulation was “huge” for the company, he said.

“This puts the technology platform of our Bermudian-based company squarely in the centre of a seismic shift — profoundly mandating the move to give citizens back control of their personal data, enforcing that companies comply with data portability and the right to be forgotten, as well as simplifying and harmonising the regulatory environment,” Mr Lacey said.

The GDPR is a modernisation of data protection laws drawn up in 1995. Since then the collection and utilisation of personal data by corporate giants has become more widespread.

“As referenced in my TEDx talk held in Bermuda in late 2015, individuals have long been unaware of the scope of collection and abuse of their personal data,” Mr Lacey said.

“But a new paradigm is emerging, powered by technology companies like Trunomi, where choice, transparency and control of one’s own data is now possible and where you, as the data owner, can treat it as your asset and then start to monetise it directly.”

He added: “This is a big deal for Bermuda, and awareness must be high if companies here are to figure it out and comply in time.”

Data analytics are playing an ever-growing role in many industries, not least insurance.

The new rules require organisations to be more transparent with their use of data and are designed to give individuals more say over how their data is used, including giving people the right to have some types of data deleted.

It also makes it mandatory for large companies to employ a data protection officer and for data breaches to be reported within 72 hours.

Businesses will need to have their solutions in place for the compliance deadline, said Darren Wray, CEO of Fifth Step an IT consultancy firm that counts several Bermuda companies among its clients.

“GDPR is going to require some considerable changes in the organisations that are processing personal data of those residing in the EU to ensure their systems and procedures are able to cope with the rights that the GDPR demands,” Mr Wray said.

“The go-live date is in 2018, but firms should start to look at the impacts of this earlier rather than later so that they understand the impact that these changes will have, and so that they can plan accordingly.

“The kinds of organisations that will need to make changes are banks, insurance companies, law firms, accountants whose clients include those residing in the EU.”

Ruth Boardman, a partner with UK law firm Bird and Bird, told the BBC: “A regulator could knock on the door and companies will have to have the mechanics in place and show the systems that they have to achieve compliance.”

EC commissioners Frans Timmermans and Vera Jourová said after lawmakers voted to approve the GDPR: “The new rules will ensure that the fundamental right to personal data protection is guaranteed for all.

“The GDPR will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.”