July 27, 2017
The EU General Data Protection Regulation (GDPR) is a new regulation that replaces the existing 1995 Data Protection Directive (implemented in the UK via the Data Protection Act 1998 and in Ireland via the Data Protection (Amendment) Act 2003). GDPR is the largest overhaul to data protection and privacy laws in Europe. The regulation applies to all European Union based data controllers and data processors and will replace all national data protection rules. The new regulation imposes a more robust and harmonised data protection regime for Member States and the new framework seeks to remedy the diverging levels of protection afforded for personal data across the EU arising from inconsistent implementation.
The regulation will come into force across all member states on 25 May 2018.
The key principle of data privacy still holds true to the previous Directive, but many changes have been made to take into account the digital age. New provisions address the requirement for affirmative consent; increased sanctions for data protection breaches and the notification requirements when a breach occurs; and the right to access. Furthermore, the definition of ‘personal data’ has been widened so that more information is brought within the regulated perimeter of the GDPR regime.
GDPR impacts all organisations that process EU customer, client or employee’s personal data. As a result the regulation has an extra territorial reach as it applies to non-EU based data controllers and data processors whenever an EU resident’s personal data is processed in connection with services offered to the person; or the behaviour of the individuals within the EU is monitored. It also affects systems and international data transfers including intra-group personal data transfers.
GDPR sets out enhanced rights for data subjects and additional obligations for data controllers and processors. It gives significant powers to regulators to investigate and enforce compliance, with non-compliance resulting in a fine or the greater of 20 million euros or 4% of an organisation’s total worldwide annual turnover. The reforms will also strengthen individuals’ existing rights to data protection and will give individuals more control over their personal data.