Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing legislation.
Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The final official texts can be found here.
The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU that target EU residents. The export regime will ensure the GDPR’s impact is felt where such organizations transfer personal data to the EU. The maximum fines for non-compliance are the higher of €20 million (approximately $23 million U.S. dollars) and 4% of the organization’s worldwide turnover.
The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or program that allows them to achieve compliance.
To assist our clients with navigating the GDPR’s requirements, we have developed a GDPR Checklist, linked below, and have planned introductory events and master classes to be held via webinar, and in-person in London, Paris, Frankfurt, Munich, and Amsterdam. Registration information may be found below.
Norton Rose Fulbright’s GDPR Checklist is designed to give an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements. It can be used to gain an understanding of where an organization has gaps in its compliance and to articulate how its control program will meet the requirements. It should be noted that certain parts of the GDPR (such as exceptions to the data subject rights) will be supplemented by Member State local legislation and guidance from local data protection authorities, which will be renamed Supervisory Authorities, and the Article 29 Working Party, which will become the European Data Protection Board under the GDPR. This local legislation and guidance is not yet available.
GDPR introductory events & master classes
We will be providing a series of introductory events and master-classes over the coming months to assist clients with GDPR compliance. The current schedule includes:
- London (English) – Master-class clinics:
- new position of processors (May 25, 2016);
- consents and fair processing notices (June 28, 2016);
- new data subject rights (July 20, 2016)
- Webinar (English) – Overview of what businesses should be doing now (May 25, 2016 at 17:00 BST / 12:00 PM EDT)
- Paris (French) – Master-class on accountability (May 10, 2016)
- Germany (German) – Master-class/webinars:
- general principles and accountability (May 19, 2016, Frankfurt & webinar);
- liability, sanctions and privacy litigation (June 16, 2016, Munich & webinar);
- new position of processors (July 14, 2016, Frankfurt & webinar)
- Amsterdam (English) – Overview of what businesses should be doing now (June 23, 2016)
If you would like to attend these events, please register via the below links:
- Register your interest for the up-coming master-classes, clinics and webinars in London, Paris, Germany and Amsterdam.
- Register for the upcoming Webinar (English) – Overview of what businesses should be doing now (May 25, 2016 at 17:00 BST / 12:00 PM EDT)
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.