top of page

EU General Data Protection Regulation

The EU General Data Protection Regulation may be passed by the European Parliament this week, but if so, it will not take effect until early 2018. The GDPR provides for single set of rules governing data transfers between European countries and non-European countries. The current EU Data Protection Directive regime allows different countries to have different rules. The new regulations do provide varying degrees of protective measures based on the risks posed by different businesses' activities.

Under this new regime, all businesses operating in the EU will be accountable to only one authority. The old 'Directive' had to be voted into force by national legislatures, whereas the new 'Regulation' can be implemented in states directly. The GDPR will replace the European Data Protection Directive, discussed in the Tip of the Night for February 27, 2016, and provide for uniform data protection regulations throughout the EU. [Note the EU does not include Switzerland, Norway, Serbia, Bosnia, Serbia, Albania and Montenegro, but does include the rest of Europe west of the Belarus and Ukraine, and does include the Baltic States].

Note that the GDPR does not apply to the review of data in the interest of national security or for law enforcement activities relating to criminal law. While each EU state will have its own Supervising Authority, every business will have a single 'lead authority' to monitor all of its processing activity. The regulations require Data Protection Officers be appointed to assist data controllers and processors in complying with the GDPR. The DPO has to have knowledge of both the law and information technology processes. Any data breaches are to be reported by the DPO to the Supervising Authority promptly.

Violations of the GDPR can lead to sanctions of either the greater of 20 million Euro, or 4 per cent of the global turnover [sales revenue] of a business. Data subjects will no longer have a Right to Be Forgotten, but will instead have a Right to Erasure which is has a smaller scope.

The GDPR, unlike the DPD, covers non-EU businesses which process the data of EU citizens.

bottom of page