The EU General Data Protection Regulation (GDPR): Time to Act

The EU General Data Protection Regulation (GDPR): Time to Act

eu-general-data-protection-regulation-gdpr_1The new regulation is aimed at empowering the citizens as owners of personal data, as well as establishing legal certainty for business based on clear and uniform rules. The GDPR will apply to all organizations in and outside the EU that deal with the personal data of EU individuals.

The new data protection rules establish a modern and harmonized data protection framework across the EU. To ensure compliance with the regulation once it comes into force, companies must be proactive and implement adequate policies and procedures to comply with the changes the Regulation introduces. Organizations must be prepared for when this new regulation comes into effect in 2018.

The General Data Protection Regulation (GDPR) will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will apply after 25 May 2018 as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact.

The GDPR will provide a major overhaul of the EU data protection regulatory framework, imposing many new requirements. It will pose a challenge for both private enterprises and public authorities to become compliant. An early start is necessary to get familiar with the new rules and determine your organisation’s specific need for conversion.

The GDPR will be the biggest change in data protection law for 20 years. A lot of work needs to be done now before it comes into force.

The new legislation is set to bring major changes to data security, particularly as regards to appointing data protection officers, carrying out risk assessments, implementing data protection by design, ensuring appropriate systems to minimize risk, notifying authorities within 72 hours of a breach and understanding where personal data resides and how it can be protected accordingly.

It introduces major changes to the compliance burden borne by organizations. All in all, the GDPR represents a hugely significant step in the development of data protection as a concept and it is difficult to overstate its importance.

The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of, EU data subjects. Many will need to appoint a representative in the EU.

In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability programme. One of the key changes in the GDPR is that data processors have direct obligations for the first time.

A data subject’s consent to processing of their personal data must be given and fair processing notices must be provided. Data breach notifications must also be provided in a timely fashion.

The GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover. The GDPR requires greater openness and transparency; it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organizations.

A new European Data Protection Board will be established ensuring the application of the GDPR as a one-stop shop.

It will make Europe fit for the digital age and the Regulation is an essential step to strengthen citizens’ fundamental rights in the digital age.

EIMF has organized two day half day workshops on the 8th and 9th of March on issues of GDPR and its implementation. To find out more please visit