The General Data Protection Regulation (GDPR), widely considered the biggest shakeup in data protection legislation for 20 years, takes effect from 25 May 2018. Businesses have already had a year to get their affairs in order to ensure that, come May 2018, they will be compliant with the GDPR. The GDPR will impose more stringent requirements in a number of areas with a view to giving individuals more control over their personal data and bringing data protection law up-to-date for the digital age. Importantly, the GDPR will also introduce considerably more severe sanctions for non-compliance; serious breaches could result in fines of up to a maximum of EUR 20,000,000 or 4% of global turnover, whichever is higher.
As the GDPR is an EU Regulation, it will be directly applicable in each Member State without the need for national implementing legislation. However, there are a significant number of derogations contained in the GDPR (also known as 'opening clauses') and some Member States have begun to draft and enact their own legislation supplementing the new framework.
The GDPR will not just affect businesses in the EU - it has extraterritorial reach and also applies to businesses outside the EU offering goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU (e.g. through the use of data analytics).
Given the UK's vote to leave the EU in June 2016, no update would be complete without mentioning Brexit. As the UK will still be part of the EU when the GDPR comes into effect, it will be directly applicable in the UK from May 2018 in the same way as in the other EU Member States until such time as the UK actually leaves the EU. Thereafter, it is likely that the UK data protection regime will remain closely aligned to the GDPR, at least in the short to medium term; in the recent Queen's Speech, the current UK Government announced its intention to implement the GDPR into national law after Brexit through a new Data Protection Bill.