The European General Data Protection Regulation 2016/679 (‘GDPR’) comes into force on 25 May 2018 and, as a regulation, will have direct
effect throughout the EU without any need for implementation by the UK and other Member States.
Many businesses inside and outside the EU will be subject to EU data protection law for the first time from 25 May 2018. The GDPR applies to data controllers and processors with establishments in the EU. However, the GDPR also applies to those outside the EU:
For the first time, data processors have direct obligations and liability:
As well as global reach, the GDPR introduces new obligations that mean businesses may need to appoint a Data Protection Officer (DPO) and will need to train people, review processes and adapt technology, including to be able to:
Businesses are already familiar with a raft of obligations under existing law throughout the data lifecycle. The GDPR toughens those obligations, and corresponding practices and policies will need review and updating. For example: