The final text of the significant new EU General Data Protection Regulation (GDPR) has now been published (4 May 2016) in the Official Journal of the European Union. This means the clock is now ticking for the sweeping new data laws that will apply to anyone using personal data across the 28 EU member countries, as well as potentially businesses in the United States. Given the wide-ranging changes this will bring to the existing law, the extraterritorial reach of the GDPR and the significantly increased fine levels to be introduced, companies, both in and outside the EU, are advised to act now to ensure that they are fully prepared for implementation day.

The GDPR, which replaces the current Directive 95/46/EC and has taken more than four years to negotiate, applies to all commercial processing of the personal data of EU data subjects, wherever that processing takes place. The GDPR also introduces new and reinforced rights for data subjects and significantly increases fine levels in case of privacy breaches (potentially up to 4% of global revenue).

In order to bring themselves into line with the GDPR, companies both inside and outside the EU will be required to audit their processing activities, (e.g., consider what internal changes are needed, action changes to their marketing/sales activity, website, customer interaction, data sharing and transfers and so on), to ensure that compliance is in place before implementation date and ensure that they are adhering to principles of “Privacy by Design”.