The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR)

July 27, 2017

Background

The EU General Data Protection Regulation (GDPR) is a new regulation that replaces the existing 1995 Data Protection Directive (implemented in the UK via the Data Protection Act 1998 and in Ireland via the Data Protection (Amendment) Act 2003). GDPR is the largest overhaul to data protection and privacy laws in Europe. The regulation applies to all European Union based data controllers and data processors and will replace all national data protection rules. The new regulation imposes a more robust and harmonised data protection regime for Member States and the new framework seeks to remedy the diverging levels of protection afforded for personal data across the EU arising from inconsistent implementation.

The regulation will come into force across all member states on 25 May 2018.

Overview

The key principle of data privacy still holds true to the previous Directive, but many changes have been made to take into account the digital age. New provisions address the requirement for affirmative consent; increased sanctions for data protection breaches and the notification requirements when a breach occurs; and the right to access. Furthermore, the definition of ‘personal data’ has been widened so that more information is brought within the regulated perimeter of the GDPR regime.

GDPR impacts all organisations that process EU customer, client or employee’s personal data. As a result the regulation has an extra territorial reach as it applies to non-EU based data controllers and data processors whenever an EU resident’s personal data is processed in connection with services offered to the person; or the behaviour of the individuals within the EU is monitored. It also affects systems and international data transfers including intra-group personal data transfers.

GDPR sets out enhanced rights for data subjects and additional obligations for data controllers and processors. It gives significant powers to regulators to investigate and enforce compliance, with non-compliance resulting in a fine or the greater of 20 million euros or 4% of an organisation’s total worldwide annual turnover. The reforms will also strengthen individuals’ existing rights to data protection and will give individuals more control over their personal data.

What are the core regulator objectives of GDPR?
  • One continent, one law: clear, modern rules unifying Europe's rules on data protection, creating business opportunities and encouraging innovation. The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU
  • Reinforcing and enhancing individuals' rights
  • Greater scrutiny on businesses to protect data and demonstrate compliance
  • Srengthening the EU internal market, by ensuring the free flow of data
  • Ensuring stronger enforcement of the rules. Non-compliance could result in fines of €20m or 4% of worldwide annual turnover whichever is greater
  • GDPR requirements apply to data processors as well as data controllers
  • Streamlining international transfers of personal data
  • Setting global data protection standards