EU data protection law has come a long way over the last two decades.
When Directive 95/46/EC (the "Directive") was written in the mid-1990s, the highly networked and interconnected world in which we live today was merely a glimmer on the horizon. The internet itself was still a fairly new innovation to many people. Many organisations did not yet have public websites. Concepts such as online social media platforms did not exist—and certainly nobody had considered how they should be regulated. Consequently, courts and Data Protection Authorities ("DPAs") have increasingly had to adapt the Directive to a world it simply was not designed for.
Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") replaced the Directive. The GDPR was published on 4 May 2016, marking the end of a four-year legislative process. It introduced a raft of sorely needed clarifications and updates, which will carry EU data protection law forward, well into the next decade. It also introduced major changes to the compliance burden borne by organisations.
The GDPR represents a hugely significant step in the development of privacy as a concept.
It is difficult to overstate the importance of the GDPR. First, it is very wide-ranging, and impacts almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad.
Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organisations do not take their data protection responsibilities seriously enough, and so the GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.
Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency; it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organisations. Satisfying these requirements will prove to be a serious challenge for many organisations.
Enforcement of the GDPR started on 25 May 2018, and organisations need to be compliant.
Enforcement of the GDPR started on 25 May 2018. Organisations targeting compliance with the GDPR must manage the challenges of this task by taking its requirements seriously, and committing sufficient time and resources into satisfying those requirements.
Our Global Data, Privacy & Cybersecurity Practice is ideally positioned to guide organisations through the process of understanding, and complying with, the GDPR. The breadth and depth of our experience in advising organisations on their data protection compliance obligations enables us to provide practical advice on real-world solutions to the complex problems that arise in this context, throughout the EU and beyond.
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP