1. More business activity will be caught by the regulation than by the existing law. More information will count as ‘data’ or ‘sensitive data’ and you will be accountable if you ‘process’ data, not simply if you ‘control’ it.

2. People will have far greater rights over their data.

They will have a right to:

  • be told far more about what you are doing with their data
  • withdraw their consent to you processing their data at any time
  • force you to correct inaccurate data without undue delay
  • force you to erase their data without undue delay in certain circumstances
  • take their data away from you and give it to another company
  • not be subject to a decision based solely on automated processing, including profiling, which “significantly affects” or “produces legal effects” concerning him or her. This will make many profiling activities unlawful.

3. If you breach their rights:

  • they will have the right to complain about you to the regulator
  • they will have a right to an effective judicial remedy against you
  • they will have a right to compensation for material or immaterial damage suffered
  • they will have the right to appoint a properly constituted body, organisation or association to complain on their behalf, opening the door to class actions

4. You are going to have to tell them, quickly, if you breach their rights. You will have to report any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to their data to the regulator within 72 hours of discovery of the breach and to the person without undue delay if the breach is likely to be a “high risk” to the rights and freedoms of individuals

5. Breaching people’s rights could be very, very expensive. You can be fined Euro 1 million or up to 2% of annual worldwide turnover. People will also be entitled to compensation for breach of their rights.

6. If you’re a non-EU company, you will have to obey the regulation if you are offering goods or services to EU residents or monitoring the behaviour of EU residents. This is a hugely significant change for non-EU corporates; you will no longer be able to get round the rules by processing data outside the EU/ensuring that you don’t have a physical presence in the EU. Non EU companies will not only have to be concerned about the possibility of fines, if they are non-compliant. They will also need to fear legal claims if their processing constitutes misuse of private information. In the UK misuse of private information has now been confirmed to be a tort (or civil wrong). The significance of this is that claimants bringing claims for misuse of their data against foreign defendants will obtain service out of the jurisdiction more easily.