General Data Protection Regulation

The European General Data Protection Regulation (GDPR) was proposed on January 25, 2012 because the current EU Data Protection Directive does not sufficiently consider the important aspects of data protection in our rapidly changing environment which includes globalization, social networks, and cloud computing. As such, the European Commission determined that new guidelines for data protection and privacy were required and proposed GDPR as a comprehensive reform to the Data Protection Act of 1998. 

The single data protection regulation which was adopted in April 2016 and takes effect after a two year transition on May 25, 2018, will have immediate effect on the EU countries after the two year transition period without requiring any additional legislation by EU state governments. The GDPR will expand the Data Protection Directive to all companies vs just government agencies and will apply to all EU countries because of its regulatory aspect. Employee data is excluded from GDPR and will be subject to individual country regulations.

There will also be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based. A European Data Protection Board will coordinate the DPAs. 

The key elements of the GDPR include the creation of a single set of rules, increased enforcement powers including an increase in potential fines, a duty on organizations to report breaches within 24 hours, and provisions giving people easier access to and more control over their personal data including a "right to be forgotten" and introduction of "data portability".

General Data Protection Regulation key areas include:

  • Establishment of a single regulation which will be valid in all EU member states and impact all businesses.
  • A "right to be forgotten" rule will allow EU citizens to have their personal data deleted if there are no valid reasons for retention.
  • Companies based outside of Europe will have to apply the GDPR rules when offering services in the EU.
  • Data protection authorities will be able to impose fines of up to €1million or up to 2% of global annual turnover if companies fail to comply.
  • The establishment of a "one-stop shop" will allow businesses to deal with one authority instead of different regulatory bodies in each EU country in which it operates. Individuals will only have to deal with home national protection authority in their language, regardless of where the data is processed.

Compliance with the General Data Protection Regulation (GDPR) will require companies to apply a holistic approach and engage all relevant groups of the enterprise to work together. Furthermore, Data Protection Officers will have to gain additional knowledge about IT controls as the regulation clearly addresses the need to maintain system security over consumer data to ensure privacy. Click here to read another article about the General Data Protection Regulation for more details about the requirements and why some of the compliance tasks may be dispersed today and will need to be coordinated closely to ensure efficient and effective GDPR compliance. 

Apply to become a Certified in Data Protection expert.