EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR) was finally approved by the European Parliament in April 2016.

All organisations that process personally identifiable information (PII) must comply with the Regulation by 25 May 2018 or face penalties of up to €20 million or 4% of annual global turnover – whichever is the greatest.

This page provides a brief history of the GDPR and an overview of the notable changes for data processors and controllers introduced by the Regulation.


About the GDPR

In January 2012 the European Commission proposed a major reform of the 1995 EU Data Protection Directive (95/46/EC) to bring its principles into line with 21st century technological advances and the global movement of data. The Commission’s intention was to produce a single law that would unify data protection legislation and enforcement across Europe. The General Data Protection Regulation (GDPR) is that law.

The Regulation will mean that organisations that process PII will only have to contend with one data protection law instead of 28. This reduced administrative burden should increase corporate efficiency and create more business opportunities for data processors, as well as providing greater security for individual data subjects.

The final text of the GDPR can be read here >>


Transition period

The Regulation will apply from May 25 2018, meaning organisations have two years to achieve a state of compliance. For larger organisations especially, complying with the Regulation’s new requirements could take many months’ work, which is why it is advisable to start preparing now.

For more information on how IT Governance can help your organisation to prepare for your new obligations under the GDPR, email or call 00 800 48 484 484.


Key requirements proposed by the GDPR:

  1. The scope of the Regulation
    The GDPR applies to controllers and processors of personal data regardless of where they are physically based and irrespective of whether the processing itself takes place in the EU.

  2. The definition of personal data
    The GDPR widens the definition of ‘personal data’ to mean “any information relating to an identified or identifiable natural person”. Factors that could be used to identify individual data subjects include names, identification numbers, location data, online identifiers, or “one or more factors specific to [data subjects’] physical, physiological, genetic, mental, economic, cultural or social identity”.

  3. Consent
    The GDPR requires that data subjects should consent to data processing via a “clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement […] such as by a written statement, including by electronic means, or an oral statement." Parental consent is required to process under-16s' personal data. (Individual EU member states can lower this age to 13.)

  4. Data protection officers
    A data protection officer (DPO) must be appointed if data processing “is carried out by a public authority or body”, or “the core activities of the controller or processor consist of processing operations which [...] require regular and systematic monitoring of data subjects on a large scale”, or “the core activities of the controller consist of processing on a large scale of special categories of data”. A group of organisations can appoint a single DPO.

  5. Data protection impact assessments
    Data controllers must conduct a data protection impact assessment prior to processing when it “is likely to result in a high risk to the rights and freedoms of natural persons”.

  6. Processor liabilities
    Unless they can prove that they were “not in any way responsible for the event giving rise to the damage”, data processors and controllers will both be liable for damage caused by processing that does not comply with the Regulation.

  7. The right to data portability
    The GDPR grants data subjects the right to obtain a copy of any personal data held about them by an organisation in a “structured, commonly used and machine-readable format”.

  8. The right to be forgotten
    Under the GDPR, data subjects have the right to request the correction of inaccurate data and the erasure of personal data that is no longer necessary, that they no longer consent to being processed, that they object to being processed, that has been unlawfully processed, that has to be erased to comply with other legal obligations, or that relates to a child of under 16 for whom they are legally responsible.

  9. Data breach notification requirements
    Data processors must notify data controllers “without undue delay after becoming aware of a personal data breach.” Data controllers, in turn, must notify the supervisory authority of data breaches “without undue delay and, where feasible, not later than 72 hours after having become aware of it” unless they can demonstrate that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” If the notification is not made within 72 hours, it must be “accompanied by reasons for the delay.” Data subjects must also be informed “without undue delay” if “the personal data breach is likely to result in a high risk to [their] rights and freedoms”.

  10. Penalties
    Non-compliance with the GDPR could result in administrative fines of up to €20 million or, “in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”


GDPR resources

For a more in-depth examination of the GDPR, you may be interested in books, toolkits and training courses:

Information correct as of May 2016.


Data protection and ISO 27001

Managing your data effectively for compliance with the GDPR requires a robust information security management system (ISMS). Information security is a broad approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.

In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.

ISO 27001 is the internationally recognised best-practice Standard that lays out the requirements of an ISMS and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.

Organisations with multiple compliance requirements often seek certification to ISO 27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO 27001 certification.

The latest version of the Standard, ISO 27001:2013, issimple to follow and has been developed with business in mind. It presents acomprehensive and logical approach to developing, implementing and managing anISMS, and provides associated guidance for conducting risk assessments andapplying the necessary risk treatments. In addition, ISO27001:2013 has beendeveloped in harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.

Furthermore, the additional external validation offered by ISO 27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.


Free Download: A compliance strategy for the EU General Data Protection Regulation (EU GDPR)

Download this green paper now and discover:

  • Guidance for implementing a compliance strategy for the EU GDPR;
  • Detailed information about the key provisions of the Regulation;
  • How to ensure you have taken appropriate technical and organisational measures to meet your compliance goals;
  • Much more

For more information on how IT Governance can help your organisation to prepare for your new obligations under the GDPR, email or call 00 800 48 484 484.