The European General Data Protection Regulation 2016/679 (‘GDPR’) comes into force on 25 May 2018 and, as a regulation, will have direct
effect throughout the EU without any need for implementation by the UK and other Member States.

Global reach

Many businesses inside and outside the EU will be subject to EU data protection law for the first time from 25 May 2018. The GDPR applies to data controllers and processors with establishments in the EU. However, the GDPR also applies to those outside the EU:

  • who process the personal data of EU residents to offer them goods or services or monitor their behaviour in the EU, or
  • who are otherwise subject to Member State law

Processors directly covered

For the first time, data processors have direct obligations and liability:

  • direct obligation to implement appropriate security measures
  • designating a DPO and / or representatives within the EU when required
  • restrictions on the use of sub-processors
  • liability for infringement of the GDPR’s processor provisions
  • liability for acting contrary to the controller’s instructions

New obligations on data controllers

As well as global reach, the GDPR introduces new obligations that mean businesses may need to appoint a Data Protection Officer (DPO) and will need to train people, review processes and adapt technology, including to be able to:

  • respond to data subject requests for data restriction, portability and the now-codified ‘right to be forgotten’
  • notify regulators within 72 hours, and data subjects without undue delay, of certain personal data breaches
  • handle all dealings with children appropriately
  • take ongoing measures and maintain records to prove compliance to regulators

Existing obligations increased

Businesses are already familiar with a raft of obligations under existing law throughout the data lifecycle. The GDPR toughens those obligations, and corresponding practices and policies will need review and updating. For example:

  • new requirements for privacy notices, and information to be provided before personal data is collected, means existing consents need careful review for GDPR-compliance
  • far more detailed obligations must be included in contracts with processors, meaning all existing processor agreements will need to be amended
  • systems for responding to the rights of data subjects need to be more powerful
  • fines for infringement are greatly increased, confirming data protection as a board-level matter