The General Data Protection Regulation (GDPR) contains rules that govern the processing of personal data, from its collection to its use and disclosure. It applies to processing undertaken in the context of the establishment of a controller or processor in the EU, regardless of where the processing takes place, as well as to those based outside of the trading bloc where they direct services to EU citizens or monitor the behaviour of EU citizens and such activity involves the processing of their personal data.
The GDPR was finalised by EU law makers in 2016 but it applies from 25 May 2018.
Claire Edwards, a specialist in data protection law at Pinsent Masons, the law firm behind Out-Law.com, said the GDPR will impact on organisations across all sectors of the economy.
Edwards said: "The central pillars of the previous data protection regime are unchanged – the need for personal data processing to be fair and lawful and limited to what is necessary for the specific purposes being pursued, and in respect of the requirement to keep the data secure, for example. However, the GDPR imposes a number of new duties on businesses, including obligations to carry out data protection impact assessments, rectify, erase and/or cease processing data, maintain records of the steps they take towards compliance, and report major data breaches."
"The GDPR will require greater accountability from organisations for the data processing they engage in too, and this is reflected in the rules requiring businesses to appoint a data protection officer in certain circumstances and in penalties regime which could see businesses responsible for breaches hit fines of up to 4% of their annual global turnover, or €20 million, whichever is highest," she said.
"The GDPR has been a long time in the pipeline and is a necessary update of the data protection framework for the digital age. Compliance with the new rules will be an ongoing process for organisations – companies that have not yet got their house in order should not panic but instead focus on prioritising their steps towards compliance. For businesses that embrace the spirit of the new laws, however, and give individuals greater control over how their data is used, there is the opportunity to win greater trust from consumers and obtain a competitive advantage," Edwards said.
The UK government has previously confirmed that the GDPR will continue to apply in the UK post-Brexit, at least in the short term. A new Data Protection Act has been passed by the UK parliament to supplement the GDPR, and similar national legislation is being, or has already been introduced across Europe, including in France, Germany, Ireland and Spain.
EU and national data protection watchdogs have issued a raft of guidance to help businesses with navigating the GDPR.
Recently, the Information Commissioner's Office (ICO) published its finalised guidance on consent under the GDPR, as well as on business' new data portability obligations.
The ICO has promised to take a "proportionate and pragmatic" approach to enforcement under the GDPR and, in a draft new regulatory action plan it outlined, said it would "encourage and reward compliance" in the way it applies its regulatory powers.