Harmonising EU Data Protection rules

The long awaited General Data Protection Regulation (“GDPR”) has now been published on the Official Journal of the European Union.

What is it?

The GDPR will harmonise data protection laws across the EU. It will change how businesses process and transfer the personal data of EU residents. It is scheduled to come into effect in May 2018, and it will have direct effect on the data protection rules of all Member States. Each Member State will have an Independent Supervisory Authority responsible for GDPR enforcement (“ISA”). In the UK, this will be the Information Commissioner’s Office.

Will the GDPR apply to your business?

If you collect and manage the personal data of an EU citizen, you will need to be GDPR compliant, even if your business is located outside of the EU. In the employment context, you will be affected if you manage (or plan to manage) a European workforce.

With penalties for breaches as high as 4% of a company’s annual worldwide turnover, it is important to understand the changes and start planning for their arrival.

Key obligations?

• Maintaining written records of how, when and why personal data is processed. Includes identifying third party data recipients (e.g. service providers), recording international data transfer details, and identifying the ‘technical and organisational measures’ in place to protect the data.
• Conducting an initial impact assessment if the proposed processing is potentially high risk.
• Notifying your data breaches to the ISA without delay and within 72 hours of awareness. If the breach puts individual privacy rights at ‘high risk’, every individual must be informed.
• Consent – Silence, pre-ticked boxes or inactivity will no longer constitute valid consent.
• Responding to subject access requests will need to be completed within one month.
• Appointing a company Data Protection Officer with expert knowledge of the rules. Can be an employee or a contractor.
• Responding to individual requests to erase personal data.
• Working out which ISA will be the lead authority by establishing: (i) where your business has its main administration; (i) where data processing decisions are made.


All organisations should become familiar with the GDPR. It is advisable to begin reviewing any changes that you will need to make to current practices well in advance of May 2018, as the penalties for breach could be severe.