On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) comes into legislation, replacing the data protection directive. It is designed to protect the rights of EU citizens whose data is held by organisations.
The GDPR is the most serious piece of privacy legislation for the last 20 years. Fines for non-compliance can reach €20m or 4% of turnover, whichever is greater.
And, although it’s EU legislation, GDPR affects all companies that handle or process data for EU citizens. So, although the UK will be leaving the EU by the time GDPR becomes legislation, it will affect the vast majority of companies operating on these shores.
Worryingly, according to a report from Gartner, fewer than 50% of companies that GDPR applies to will be compliant by the end of 2018. If that’s you, or you think it might be, you will need to get your skates on.
What do I need to know?
The GDPR differs significantly from the current data protection directive. Here are some key points:
The regulatory landscape is the biggest change. The GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. So, for example, a company operating in the US offering services to EU residents will fall under GDPR.
GDPR will also apply across an organisation’s network, meaning that the companies they do business with must also comply with GDPR.
The penalties imposed by GDPR are potentially so big that they could put a company out of business. This is deliberate. Under the current directive, fines are not much of a deterrent for non-compliance. In some cases, it is easier and cheaper to pay the fine than it is to be compliant.
The new penalty system works on a tiered structure:
· A written warning for first-time or unintentional non-compliance
· Regular, periodic audits
· Fines of €10m or 2% of annual worldwide turnover from the previous year, whichever is greater
· Fines of €20m or 4% of annual worldwide turnover from the previous year, whichever is greater
These penalties apply to both the holder of the data and party processing it so even clouds, for example, will not be exempt.
The conditions for consent to hold, store and distribute personal data have been strengthened. Companies seeking consent will no longer be able to use illegible terms and conditions full of legalease. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Under the GDPR, the Data Controller ( will be under a legal obligation to notify the Supervisory Authority without delay. The reporting of a data breach is not subject to any minimum standard and must be reported to the Supervisory Authority within 72 hours of the data breach. Individuals have to be notified if an adverse impact is determined.