The EU’s General Data Protection Regulation (GDPR) 17/3

20th March 2017

The General Data Protection Regulation (GDPR) will come into force across the EU on 25 May 2018, it will affect every organisation that uses data belonging to  European citizens. The new legislation will supersede both the Data Protection Act 1998 and the 1995 EU Data Protection Directive. Organisations have become frustrated with the outdated nature of the current framework along with the apparent lack of harmonisation across member states. GDPR is a wide-reaching piece of legislation, which will incorporate the modern day uses of data, increase the overall protection of personal data and help develop the desired digital single market.

Despite not coming into force until 25 May 2018, the GDPR contains some onerous obligations, many of which will take firms time to prepare for. In the long term, the new regulations are designed to make rules more straight-forward for businesses and it is estimated that the new code could save the EU in excess of €2bn collectively a year.

The Regulation at a glance

Data breach notification

One of the most prominent changes in the Regulation is the obligation on controllers to inform the supervisory authority and on occasions, the individuals of personal data breaches. Controllers must report data breaches to their supervisory authority, the notification should normally be made within 72 hours by the organisations.


As businesses will simply be custodians of personal data, consumers will have to give their consent every time a business wishes to use their data. To make this more governable, firms should consider developing practical systems for individual consent declaration. It will become harder for firms to attain valid consent under the Regulation and individuals will be able to withdraw their consent at any time.

Territorial Scope

The GDPR expands the territorial scope of European data protection legislation to make it applicable to non-EU organisations offering goods or services to data subjects in the EU or monitoring their behaviour to the extent that the behaviour takes place in the EU.


Supervisory authorities will be able to issue fines of up to 4% of annual worldwide turnover or €20 million, whichever is greater. The authorities will have a wide range of other powers. These will involve investigative powers such as the ability to carry out audits, issue warnings and issue a temporary and permanent ban on processing. Other infringements would draw a fine of the higher of 2% of annual global turnover and EUR 10m.

Next Steps 

During the phase-in period, firms should look to undertake an audit to establish the location of data and to confirm what it is being used for. Taking a methodical approach will allow firms to implement the policies and procedures necessary to become GDPR compliant in a timely manner. GDPR affects all aspects of how businesses collect, store and use data, therefore planning ahead will ultimately put firms in the best possible position for the introduction of the new legislation.