We are ready for GDPR 2018. Are you?

I am fairly certain that by now, most of you have at least heard of something called the EU General Data Protection Regulation (GDPR). If not, you may be in for a big surprise. Reactions to the GDPR have gone through a few phases in the last few years, from “That is just another regulation that does not affect us,” to “We will wait until we have to comply,” to “That really might apply to us,” to “Uh-oh, we should probably do something about this. Is it too late?” If any one of these sounds like something you have heard in your own organization, you had better get moving, because GDPR is already here.

Let’s look at the basics. The General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for their business. It was adopted on 14 April 2016 and after a two-year transition period, having come into force on 25 May 2018.

GDPR replaces the 1995 Data Protection Directive (DPD). The main difference between GDPR and DPD in definition is the following:

DPD definition:

‘’any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’’

GDPR definition:

‘’any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’’

Because GDPR is a regulation, not a directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable.

The impact of the regulation will be broad, as it applies to any company that holds or processes personal data of individuals residing within the European Union. This is irrespective of whether the company is based in the EU or not. The penalty for GDPR non-compliance is up to €20M or 4% of annual global turnover. The cost of ignoring GDPR is too high, forcing corporations to reconsider the way they handle consumer data, and to install new processes and technologies empowering the consumers right to “own” their data.

Andreas Pastellides

Head of Legal & Litigation