The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and will replace the current EU Data Protection Directive 95/46/EC. The GDPR introduces new obligations to data processors and data controllers, including those based outside the EU. Given that infringement can lead to fines of up to 4% of annual worldwide turnover or €20 million, it is important for companies to assess how the GDPR will affect them and prioritise preparations to comply by May 2018.The GDPR will bring harmonisation across the EU regarding data privacy. The extraterritorial effect of the GDPR means its scope will apply to non-EU data controllers and processors monitoring the behaviour of or offering goods or services to individuals located in the EU. The Regulation will affect many industries, particularly financial services where firms tend to hold large volumes of personal data.
There are many aspects to be considered to ensure full compliance. For example, there will be requirements for explicit consent to be freely given by individuals for their data to be used for specific purposes, as well as the right for individuals to request details of information held and for data to be deleted. Some organisations will need to carry out assessments, ensure effective procedures are in place and designate a Data Protection Officer to meet new accountability requirements.
