This bulletin sets out the main changes under the General Data Protection Regulation (GDPR) of which all businesses need to be aware. Due to come in to force on 25 May 2018, the GDPR is the most significant development in data protection law for 20 years.

  • The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
  • The GDPR will make it easier for data controllers to rely on ‘legitimate business interests’ as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject.
  • Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
  • Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
  • There will be increased requirements as to what information must be provided to individuals before processing their data (i.e. via a privacy policy).
  • Data processing agreements between data controllers and data processors will be required to contain extensive mandatory data protection clauses; for example controllers’ right to audit its processors and obligations on processors to assist with subject access requests and personal data breaches.
  • Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the GDPR and also as a means to legitimise international data transfers.
  • Multinationals will benefit from a one stop shop, where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor.
  • Organisations whose core activities consist of processing operations which require regular and systematic monitoring of individuals on a large scale or of special categories / criminal related data will be required appoint a Data Protection Officer.
  • Organisations will be required to maintain a record of all of their data processing activities which must be made available for inspection.
  • Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
  • Fines of up to 4% of annual worldwide turnover of the preceding annual year or EUR 20 million may be imposed for non-compliance.