The GDPR was first proposed by the European Commission in January 2012 and after a four year legislative development period was published in the Official Journal of the European Union in May 2016. It became effective on 25 May 2018.
The GDPR develops several of the standards contained within the previous legislation, including:
- Territorial scope – the GDPR extends the territorial scope of EU data protection rules to many organisations that were not previously subject to EU data protection rules, although it also narrows the scope for certain organisations;
- Data protection principles – the GDPR regime introduces a series of new supporting principles for the processing of personal data and enhances the existing principles;
- Consent and rights of data subjects – the GDPR makes consent harder to obtain and rely upon to process personal data. The GDPR also strengthens the rights of data subjects in relation to their personal data;
- Obligations for processors and enhanced ‘accountability’ – the GDPR increases the direct compliance obligations for data processors and introduces new accountability rules;
- Cybersecurity requirements – the GDPR introduces specific requirements for firms to have processes in place technical and organisational measures to ensure the proportionate security of personal data and data processing activities;
- Breach notifications and sanctions – the GDPR requires breaches to be reported within 72 hours of detection and introduces stronger supervisory authority sanctioning powers, including administrative fines of up to €20 million or 4% of global group turnover. Liability extends to ‘processors’, as well as ‘controllers’; and
- Data protection officers – the GDPR introduces an obligation for firms that regularly and systematically monitor data subjects, or process ‘Sensitive Personal Data’ on a large scale, to appoint a ‘Data Protection Officer’ (DPO) compliant with the requirements of the GDPR.
The GDPR is in the legislative form of an EU ‘regulation’, thus is directly applicable and does not offer the discretion of transposition to Member States.
Implementation issues and questions related to the GDPR are covered by the AIMA Data Regulation Working Group.
If you have any questions about GDPR or would like to join the AIMA Data Regulation Working Group, please contact Oliver Robinson (email@example.com).
- AIMA GDPR Q&A (23 July 2018)
- Risk and Regulation in a Digitalized World (23 July 2018)
- UK – ICO webinar on personal data breach reporting (20 July 2018)
- AIMA informal Q&A on GDPR (29 May 2018)