EU data protection law has come a long way over the last two decades.
When Directive 95/46/EC (the "Directive") was written in the mid-1990s, the highly networked and interconnected world in which we live today was merely a glimmer on the horizon. The internet itself was still a fairly new innovation to many people. Many organisations did not yet have public websites. Concepts such as online social media platforms did not exist—and certainly nobody had considered how they should be regulated. Consequently, courts and Data Protection Authorities ("DPAs") have increasingly had to adapt the Directive to a world it simply was not designed for.
Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") will replace the Directive. The GDPR was published on 4 May 2016, marking the end of a four-year legislative process. It introduces a raft of sorely needed clarifications and updates, which will carry EU data protection law forward, well into the next decade. It also introduces major changes to the compliance burden borne by organisations.
The GDPR represents a hugely significant step in the development of privacy as a concept.
It is difficult to overstate the importance of the GDPR. First, it is very wide-ranging, and will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad.
Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organisations do not take their data protection responsibilities seriously enough, and so the GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.
Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency; it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organisations. Satisfying these requirements will prove to be a serious challenge for many organisations.
Enforcement of the GDPR is coming soon, and organisations need to be ready.
Early planning is essential. Enforcement of the GDPR starts on 25 May 2018. Organisations will find it very difficult to bring their business operations into compliance with the GDPR by this date unless they take its requirements seriously, and commit sufficient time and resources to satisfying those requirements. Because the GDPR affects almost all of the ways in which an organisation processes personal data, the scale of this task should not be underestimated.
Our Global Data, Privacy & Cyber Security Practice is ideally positioned to guide organisations through the process of understanding, and complying with, the GDPR. The breadth and depth of our experience in advising organisations on their data protection compliance obligations enables us to provide practical advice on real‑world solutions to the complex problems that arise in this context, throughout the EU and beyond.
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP