You are here

EU data protection - GDPR

"Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe, and more generally in the Europe 2020 Strategy."

EU Commission (2012)

In May 2018, a sweeping new data protection law, General Data Protection Regulation - GDPR, will come into force in every EU member state in an attempt to balance the rights of citizens, businesses, and regulators. Organisations and businesses processing the data of EU citizens will be subject to many new legal requirements. The main points of GDPR are:

  • GDPR covers personal information belonging to EU citizens regardless of where the data collection/processing takes place, or where a company is headquartered
  • Organisations must explicitly obtain consent of individuals to collect and process their data, which can be withdrawn at any time. Consent for minors below the age of 13 years must be obtained from the child's parent or custodian.
  • Privacy Policies - data controllers must provide transparent and easily accessible privacy policies so individuals can understand what is being requested.
  • Individuals have the right to leave a service and be able to take their data with them to a competing service.
  • Individuals may make a complaint about any company through their own national DPA.
  • “Right to be forgotten” - an individual can request data about them be fully and permanently deleted where an individual no longer uses a service or product, or where public information about them is inaccurate.
  • “Privacy by Design (PbD), and Default” - organisations developing software products must factor privacy into the architecture from inception. Additionally, privacy settings must be at high level by default.
  • “Data minimization” - data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
  • Organisations developing new software or making large changes to existing software must carry out a Privacy Impact Assessment
  • “One-stop shop” - a business need only interact with the DPA where it has its main establishment.
  • ‘Pseudonymisation’ and encryption of personal data - any data that can be used to identify a specific data subject should be stored separately and replaced with some form of unique identifier.
  • Transfers to non-EU countries - the level of protection and redress should be equivalent to GDPR
  • Businesses will no longer have to notify data protection authorities of data processing activities and pay the accompanying fees.
  • Organisations must notify the supervisory authority within 24 hours where data breaches occur.
  • All public authority organisations, enterprises with more than 250 staff, or those whose core business is processing data, will be required to employ a full-time data protection officer
  • Fines up to €20 million or 4% of global annual turnover for the preceding financial year may be imposed on organisations breaking GDPR provisions.
  • GDPR does not apply to activities relating to national security; EU institutions bodies, offices and agencies; persons acting in a personal or household activity; law enforcement authorities involved in prevention, investigation, detection or prosecution of criminal offences.

Download EU General Data Protection Regulation GDPR 2018 EN.pdf