Over four years in the making, the EU General Data Protection Regulation (GDPR) was finally published in the EU Official Journal on May 4, 2016, giving a concrete application date. It will apply directly in all EU Member States beginning May 25, 2018. The GDPR will repeal and replace Directive 95/46/EC and its Member State implementing legislation.
Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years. The final official texts can be found here.
The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU that target EU residents. The export regime will ensure the GDPR’s impact is felt where such organizations transfer personal data to the EU. The maximum fines for non-compliance are the higher of €20 million (approximately $23 million U.S. dollars) and 4% of the organization’s worldwide turnover.
The concept of accountability is at the heart of the GDPR rules: it means that organizations will need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or program that allows them to achieve compliance.
To assist our clients with navigating the GDPR’s requirements, we have developed a GDPR Checklist, linked below, and have planned introductory events and master classes to be held via webinar, and in-person in London, Paris, Frankfurt, Munich, and Amsterdam. Registration information may be found below.