contactcall03300 376 323

Our Blog

Understanding the General Data Protection Regulation
/ Categories: Compliance

Understanding the General Data Protection Regulation

Recent months have been filled with anticipation for the introduction of new EU data privacy regulations, officially known as the General Data Protection Regulation (GDPR). Initiated in 2012, the GDPR was approved by the European Parliament in April with the aim of giving EU residents more control over how their personal data is collected and used by companies.

The new regulation will entitle people to be told where and how their personal data is being processed, also giving them the ‘right to be forgotten’ which allows individuals to request the deletion of data being held without legitimate reasons. This could include data possessed by service providers and even previous employers.

A key requirement of this regulation centres on the need for valid consent which must be made clear to individuals. Organisations should be able to demonstrate that the individual understands the intended use of their data in order to be compliant.

A two-year window

Set to become enforceable in May 2018, companies will have until then to prepare themselves for full compliance. For organisations processing the data of more than 5,000 data subjects in any consecutive 12-month period, a Data Privacy Officer (DPO) must be appointed with the responsibility of enforcing compliance throughout the company. The DPO is also tasked with informing management if data is not being managed appropriately. Given the new requirement for a DPO, it has been estimated by the International Association of Privacy Professionals (IAPP) that companies across Europe will collectively need to appoint over 28,000 new DPOs.

Due to the requirement for demonstrating that valid consent has been given by individuals on the intended uses of their personal data, commentators suspect that organisations could begin to take a layered approach to privacy policies whereby users can easily navigate to a page clearly detailing the types of data processing taking place. Here, there will also be the opportunity to select data preferences, allowing users to opt out where necessary.


The new regulations are not to be taken lightly. If found to be incompliant or in breach of the GDPR, organisations can expect fines of up to 4 per cent of annual global turnover or €20 million, whichever is greater.

Data privacy is no longer purely the responsibility of the IT department, instead, it has become a C-suite issue. Ensuring your company is compliant will avoid tough penalties from the European Commission.