General Data Protection Regulation

The European General Data Protection Regulation (GDPR) was proposed on January 25, 2012 because the current EU Data Protection Directive does not sufficiently consider the important aspects of data protection in our rapidly changing environment which includes globalization, social networks, and cloud computing. As such, the European Commission determined that new guidelines for data protection and privacy were required and proposed GDPR as a comprehensive reform to the Data Protection Act of 1998. 

The single data protection regulation which is scheduled to be adopted by the end of 2015 and take effect after a transition of two years, will have immediate effect on the 28 EU countries after the two year transition period without requiring any additional legislation by EU state governments. The GDPR will expand the Data Protection Directive to all companies vs just government agencies and will apply to all EU countries because of its regulatory aspect. Employee data might be excluded from GDPR and be subject to individual country regulations.

There will also be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based. A European Data Protection Board will coordinate the DPAs. 

The key elements of the GDPR include the creation of a single set of rules, increased enforcement powers including an increase in potential fines, a duty on organizations to report breaches within 24 hours, and provisions giving people easier access to and more control over their personal data including a "right to be forgotten" and introduction of "data portability".

General Data Protection Regulation key areas include:

  • Establishment of a single regulation which will be valid in all EU member states and impact all businesses.
  • A "right to be forgotten" rule will allow EU citizens to have their personal data deleted if there are no valid reasons for retention.
  • Companies based outside of Europe will have to apply the GDPR rules when offering services in the EU.
  • Data protection authorities will be able to impose fines of up to €1million or up to 2% of global annual turnover if companies fail to comply.
  • The establishment of a "one-stop shop" will allow businesses to deal with one authority instead of different regulatory bodies in each EU country in which it operates. Individuals will only have to deal with home national protection authority in their language, regardless of where the data is processed.

Despite general agreement in these key areas, there are still a number of major differences of opinion which will need to be reconciled through negotiations between the Commission, the European Parliament and the Council.

Whether GDPR will be adopted by the end of 2015 is uncertain, however, progress is being made and we could witness the introduction of the GDPR in as early as 2016. For businesses, it is important to implement a data protection plan immediately which not only addresses the personal information of customers, but also all important business data which require protection to ensure business viability.

Apply to become Certified in Data Protection and expert in General Data Protection Regulation.