What you need to know

 What is it?

The EU General Data Protection Regulation, also referred to as GDPR, is the latest significant development in data protection law to affect the EU and was passed on the 27th April 2016. In what has taken over four years of discussion, when the GDPR comes into effect, it will replace the Data Protection Regulation of 1995 (Directive 95/46 EC).

Why was it passed?

The European Parliament, the European Council and the European Commission, when passing the GDPR (EU 2016/679) intended to strengthen data protection for individuals, with a particular goal to introduce better accountability. Organisations will need to demonstrate compliance with the GDPR once in effect.

Who does it apply to?

The GDPR will apply to private sector processing of personal data relating to individuals. This will apply equally to organisations in the EU and those outside the EU that process data relating to EU citizens.

When does it come in to effect?

The GDPR will come into effect in all EU Member States from 25 May 2018, two years from the publication time.


What are some of the important changes in data protection law?

 Appointment of a data protection officer (DPO)

In certain circumstances, organisations will need to appoint a DPO. These circumstances include instances where the core activities of the organisation consist of processing data that requires regular and systematic monitoring of data subjects on a large scale. The DPO will be required to implement appropriate training.

Privacy by design

Organisations need to demonstrate that they have implemented appropriate compliance measures. In particular, they will need to demonstrate they have adopted internal policies and measures that meet the principles of privacy by design and data protection by default.

Privacy impact assessments (PIAs)

Privacy Impact Assessments (PIAs) will be required in certain circumstances. In particular, organisations must carry out PIAs where a type of processing is likely to result in a high risk for the rights and freedoms of individuals.


An organisation will need to demonstrate consent was granted when relying on consent as grounds for processing personal data.

 Binding Corporate Rules (BCRs)

The GDPR recognises the use of binding corporate rules. The BCR must be applied and enforced by all members of the group. This is likely to become the more popular option for intra-group transfer of data outside the UE.

Who will supervise compliance?

The GDPR requires national data protection authorities (e.g. AEPD in Spain) to respond to complaints and enforce the GDPR. Where there is cross border processing, a different rule applies.

What happens if I don’t do anything?

The GDPR has attracted the interest of the media and some businesses because of the penalty provisions. The penalty for non-compliance can be up to 4% of the total global annual turnover or €20 million.

Why get an expert to help?

Time is ticking. Once it comes in to effect, it’s too late to try to figure things out. Companies need to act now and they need to know what they are doing. Once a system is in place that is compliant with GDPR, there is not as much extensive need for an expert, but early on the advice would be to work with an expert to make sure you do not be in breach of the new regulation and be subject to a penalty for non-compliance.

Compártelo...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Email this to someone