Today, the GDPR replaces existing data protection laws throughout Europe and introduces significant changes and additional requirements that will have a wide-ranging impact on businesses around the world, irrespective of where they operate.

The key changes and additional requirements introduced by the GDPR are:

  1. European data protection law will now apply worldwide
    Businesses that are established in the European Union and organizations that are located outside the EU that process personal data in relation to the offering of goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will have to comply with European data protection law. Businesses based outside of the EU will be subject to the new rules and will have to ensure they comply.
  2. Tougher sanctions for non-compliance
    The maximum fine for a breach of European data protection law will be substantially increased to a maximum of 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, whichever is higher.
  3. A new data breach notification obligation
    Organizations will now have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
  4. New data privacy governance, data mapping and impact assessment requirements
    Organizations will now need to appoint a data protection officer to be responsible for implementing and monitoring that organization’s compliance with the GDPR and to carry out assessments of the organization’s data processing in certain circumstances. Organizations will now also be required to map their processing of personal data and undertake data protection impact assessments for higher risk processing.
  5. A requirement to implement "privacy by design"
    Businesses must now take a proactive approach to ensure that an appropriate standard of data protection is the default when personal data is being processed.
  6. Strengthening of individuals’ rights to personal data
    Individuals in the EU will have the right to have their personal data removed from systems or online content (the "right to be forgotten"), the right not to be subjected to automated data profiling (where this would produce a legal effect) and the right to be given a copy of the personal data relating to them in a commonly used format and to have that information transmitted to another party (the "right to data portability"). Organizations must determine how they will enable individuals to exercise these rights.
  7. Enhanced requirements for the supply chain
    Businesses must only use other parties to process personal data that provide sufficient guarantees that they will implement appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to employ sub-processors. Organizations will need to review and amend their contracts with these parties to address the changes in responsibilities.

Since the end of 2017, the Article 29 Working Party issued new guidance (or revised existing guidance) for GDPR-compliance in respect of the following areas:

  • Data Protection Impact Assessments
  • Data Portability
  • Data Protection Officer
  • Consent
  • Transparency
  • Automated decision making and profiling
  • Personal data breach notification
  • Application and setting of fines

Over the next few months, we will be keeping you updated on GDPR guidance, enforcement decisions throughout Europe and other substantial developments.

Related Information

Previous Articles