Skip to main content

Legal Update

The GDPR: The Changes that Will Affect Your Business

25 May 2018
Mayer Brown Legal Update

Today, the GDPR replaces existing data protection laws throughout Europe and introduces significant changes and additional requirements that will have a wide-ranging impact on businesses around the world, irrespective of where they operate.

The key changes and additional requirements introduced by the GDPR are:

  1. European data protection law will now apply worldwide
    Businesses that are established in the European Union and organizations that are located outside the EU that process personal data in relation to the offering of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will have to comply with European data protection law. Businesses based outside of the EU will be subject to the new rules and will have to ensure they comply.
  2. Tougher sanctions for non-compliance
    The maximum fine for a breach of European data protection law will be substantially increased to a maximum of 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, whichever is higher.
  3. A new data breach notification obligation
    Organizations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
  4. New data privacy governance, data mapping and impact assessment requirements
    Organizations will now need to appoint a data protection officer to be responsible for implementing and monitoring that organization’s compliance with the GDPR and to carry out assessments of the organization’s data processing in certain circumstances. Organizations will now also be required to map their processing of personal data and undertake data protection impact assessments for higher risk processing.
  5. A requirement to implement "privacy by design"
    Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default when personal data is being processed.
  6. Strengthening of individuals’ rights to personal data
    Individuals in the EU will have the right to have their personal data removed from systems or online content (the "right to be forgotten"), the right not to be subjected to automated data profiling (where this would produce a legal effect) and the right to be given a copy of the personal data relating to them in a commonly used format and to have that information transmitted to another party (the "right to data portability"). Organizations must determine how they will enable individuals to exercise these rights.
  7. Enhanced requirements for the supply chain
    Businesses must only use other parties to process personal data that provide sufficient guarantees that they will implement appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to employ sub-processors. Organizations will need to review and amend their contracts with these parties to address the changes in responsibilities.

Since the end of 2017, the Article 29 Working Party issued new guidance (or revised existing guidance) for GDPR-compliance in respect of the following areas:

  • Data Protection Impact Assessments
  • Data Portability
  • Data Protection Officer
  • Consent
  • Transparency
  • Automated decision making and profiling
  • Personal data breach notification
  • Application and setting of fines

Over the next few months, we will be keeping you updated on GDPR guidance, enforcement decisions throughout Europe and other substantial developments.

Related Information

Previous Articles

Authors

  • Kendall C. Burman
    T +1 202 263 3210
  • Diletta De Cicco
    T +32 2 551 5945
  • Régine Goury
    T +33 1 53 53 43 40
  • Charles-Albert Helleputte
    T +32 2 551 5982
  • Vanessa Klesy
    T +49 69 7941 1283
  • Mark A. Prinsley
    T +44 20 3130 3900
  • Lei Shen
    Partner
    T +1 312 701 8852
  • Björn Vollmuth
    T +49 69 7941 1587
  • Konstantin von Werder
    T +49 69 7941 1080
  • Dr. Ulrich Worm
    T +49 69 7941 2981
  • Oliver Yaros
    T +44 20 3130 3698
  • Dr. Guido Zeppenfeld, LLM
    T +49 69 7941 2241
The Build a Report feature requires the use of cookies to function properly. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently. If you do not accept cookies, this function will not work. For more information please see our Privacy Policy

You have no pages selected. Please select pages to email then resubmit.