Skip to content 
The new EU General Data Protection Regulation (GDPR) was adopted in April 2016 and will come into effect on the 25th of May 2018. The GDPR has been designed to replace the current EU data protection regime which is contained in the Data Protection Act 1998. The principle rationale behind the GDPR is to bring the law up-to-date and to make it more suitable to deal with the growth of the digital economy and the different ways in which large amounts of personal data is increasingly collected and exchanged. It is also intended to unify data protection law within the EU and combat the current fragmented laws. In the GDPR, the protection of natural persons’ personal data is considered a fundamental right. The GDPR will be mandatory legislation throughout the EU and will require very little enabling legislation to be passed by governments; it will also apply in situations where personal data is being processed outside the EU. Note that the Secretary of State for the United Kingdom confirmed that the U.K. will opt into the GDPR regardless of Brexit, although if and when the U.K. does leave the EU the U.K. government would have the option to deviate from the GDPR.
Among the key changes in the GDPR to current EU data protection laws are a broader territorial scope, a wider definition of personal data to include all the information related to an identified or identifiable natural person, and a stricter definition of “consent” to release such data. Another notable change is that data processors – as opposed to simply the data controller – now have direct obligations. The GDPR also grants data subjects a new set of rights re-balancing interests in favor of the individual. for example, the GDPR grants the right of erasure (“the right to be forgotten”), allowing data subjects to directly request that their companies (rather than seeking court intervention) delete their data, barring legitimate grounds for its retention.
To ensure compliance the GDPR introduces an enforcement regime of heavy financial sanctions of up to 4% annual worldwide turnover. To avoid such onerous penalties, your company must take advantage of the window before the regulation becomes effective in May 2018 to conduct risk assessments, review existing practices, determine possible compliance gaps, and prepare for the GDPR’s implementation. For instance, your company may now be required to appoint a Data Protection Officer.
Consult your Ally Law member firm to evaluate your data protection system and necessary changes to comply with GDPR. For more information about Ally Law member firm services and outstanding lawyers, contact us at team@ally-law.com.
Click on the titles for the original articles by Ally Law member firms: The new EU General Data Protection Regulation, by Nordic Law; A roadmap to the key changes introduced by the new European Data Protection Regime, by Your Legal Partners and No ifs…no buts… UK to implement the General Data Protection Regulation (GDPR) regardless of Brexit, by Edwin Coe.
