Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law

EU data protection law has come a long way over the last two decades.

When Directive 95/46/EC (the "Directive") was written in the mid-1990s, the highly networked and interconnected world in which we live today was merely a glimmer on the horizon. The internet itself was still a fairly new innovation to many people. Many organisations did not yet have public websites. Concepts such as online social media platforms did not exist—and certainly nobody had considered how they should be regulated. Consequently, courts and Data Protection Authorities ("DPAs") have increasingly had to adapt the Directive to a world it simply was not designed for.

Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") will replace the Directive. The GDPR was published on 4 May 2016, marking the end of a four-year legislative process. It introduces a raft of sorely needed clarifications and updates, which will carry EU data protection law forward, well into the next decade. It also introduces major changes to the compliance burden borne by organisations.


The GDPR represents a hugely significant step in the development of privacy as a concept.

It is difficult to overstate the importance of the GDPR. First, it is very wide-ranging, and will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad.

Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organisations do not take their data protection responsibilities seriously enough, and so the GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.

Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency; it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organisations. Satisfying these requirements will prove to be a serious challenge for many organisations.


Enforcement of the GDPR is coming soon, and organisations need to be ready.

Early planning is essential. Enforcement of the GDPR starts on 25 May 2018. Organisations will find it very difficult to bring their business operations into compliance with the GDPR by this date unless they take its requirements seriously, and commit sufficient time and resources to satisfying those requirements. Because the GDPR affects almost all of the ways in which an organisation processes personal data, the scale of this task should not be underestimated.

Our Global Data, Privacy & Cyber Security Practice is ideally positioned to guide organisations through the process of understanding, and complying with, the GDPR. The breadth and depth of our experience in advising organisations on their data protection compliance obligations enables us to provide practical advice on real‑world solutions to the complex problems that arise in this context, throughout the EU and beyond.


Chapter 1: Introduction


Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash


If you would like to request a hard copy of this Handbook, please do so here.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP