The Impact of the General Data Protection Regulation


The existing EU data protection regime is based on the Data Protection Directive which was introduced in 1995. Partly to reflect the rapid technological developments and fundamental changes to the ways in which information is now communicated and shared and due to the various approaches the EU Member States have taken in implementing the Data Protection Directive, the European Commission (“EC”) has unified data protection within the EU with a single law, the General Data Protection Regulation (“GDPR”).

The GPDR came into force on 24th May 2016 with a two year compliance period. This means Member States are not obligated to apply it and organisations will not need to comply with it until 25th May 2018. However, it remains unclear what amendments may be made to data protection laws once the UK has left the EU.

Latest Update: ICO publishes updates to help prepare for compliance

The Information Commissioner's Office (“ICO”) has published some updates to help organisations prepare for compliance with the GDPR's requirements before May 2018, and in particular to assist them with planning what areas to address over the coming months:

These add to other guidance provided:

Otherwise, here are some details regarding the GDPR because it will be relevant for many organisations in the UK – most obviously those operating internationally.

The key areas that are being amended

Organisations that are complying properly with the current law have a strong starting point to build from but there are important new elements and some things may need to be done differently. Also, note the GDPR refers to ‘controllers’ and ‘processors’ instead of 'data controllers’ and ‘data processors’. The key areas of the existing EU data protection regime that are being amended are set out below:

Area Change Points to note
Wider geographical scope Businesses based outside the EU will now be subject to the GDPR if they:

- offer goods or services to EU data subjects; or

- monitor the behaviour of EU data subjects,

regardless of whether the processing of the data takes place within the EU or not.

- Currently, a company must be ‘established’ in the EU in order to be subject to the EU data protection laws.

- This change will catch many non-EU businesses that were not previously required to comply with the Data Protection Directive.



'Notification' by or 'registration' of controllers with supervisory regulators will be scrapped.

This always seemed a pointless waste of time and is to be welcomed. However, the associated notification fees will presumably have to be recouped somehow.

Increased fines


The maximum fine that each of the EU national data protection authorities can impose will be significantly increased to up to 4% of annual worldwide turnover or €20 million (whichever is the greater).


- Currently, fines under national law vary and are relatively low (eg in the UK, the maximum fine is £500,000).

- The increase in the maximum level of fines will be significant and may mean much more attention is given to compliance. However, a lot will depend upon what fines are actually levied in practice. To date, national authorities have varied quite considerably in the extent to which they have imposed fines within the scope of their existing powers. There may also be a knock-on effect as greater attention is paid by controllers and processors to contractual data protection provisions, especially liability and related indemnities for breaches of security.

Stricter consent requirements


Silence or inactivity will not constitute consent to use of data. Consent must be freely given, specific, informed and unambiguous, provided by clear affirmative statement or action.

A positive statement or other evidence of affirmative agreement from the data subject will be required (eg by actively ticking a blank box - pre-ticked boxes will not suffice).

Appointment of Data Protection Officer (“DPO”)


- A new mandatory requirement is being introduced for the appointment of a DPO for the public sector and in the private sector, where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

- The DPO’s main tasks will be to ensure and monitor compliance with the GDPR.

- The DPO can be an employee but has to be able to perform their duties and tasks ‘independently’.

Many organisations will already have an equivalent role.


Strict rules for notification of data breach


- The controller will be required to notify a personal data breach to the supervisory authority without undue delay and, where feasible, within 72 hours, with an explanation of the reasons for any delay.

- The individuals whose personal data could be adversely affected by the breach are also to be notified without undue delay.

- These requirements could mean that data protection authorities are inundated with notifications and it is unlikely they will have the resources to cope.

- Having to notify data subjects will be expensive and has been controversial. How it will play out in practice and be received by individuals will be interesting to see.

Single set of rules and ‘lead authority’

- There will be a single set of personal data protection rules, valid across the entire EU.

- Where a controller or a processor is established in more than one Member State, the data protection authority of the main establishment of the controller or processor will be the ‘lead authority’ to supervise the processing activities (a so-called ‘one-stop shop’).

- A Regulation is a form of EC legal instrument that has ‘direct effect’ which means it does not have to be implemented into national law. Differences in implementation between different Member States have led to some inconsistency. However, much will still depend on whether individual enforcement agencies interpret and apply the Regulation differently.

- The ‘one-stop shop’ should be welcomed as it will hopefully reduce expensive duplication.

Increased rights for individuals


Certain rights for individuals are to be enshrined in the legislation such as the right ‘to be forgotten’ and to ‘data portability’ between service providers.


‘Privacy by design’ and ‘privacy by default’

Data protection safeguards will be required to be built into products and services from the earliest stage of development. Privacy-friendly default settings should be the norm eg on social networks.


Processors’ obligations


For the first time processors will be under a direct obligation to comply with certain requirements of the legislation.


- Previously processors were only responsible for security and then only indirectly via a contractual commitment to the controller.

- Whereas beforehand processors and controllers could apportion financial risk as between themselves and processors could agree a cap on liability, processors will now be exposed to potentially greater risk because of the penalties that can be applied against them directly.

Further information

We have also written some other articles on the GDPR: Consent to use data under the GDPR, in relation to limitation of liability and indemnities in the special context of data security, The General Data Protection Regulation - Apportioning Security Risk, and also on a related data protection matter, the EU-US Privacy Shield.

Otherwise if you require any additional information or have any queries on this topic, please contact us at

30th May 2017

back to archive