The General Data Protection Regulation

After four years of preparation and debate the new General Data Protection Regulation (GDPR), was finally approved by the EU Parliament on the 14th of April 2016.

The GDPR replaces the Data Protection Directive 94/46/EC and has been designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen’s data privacy and to reshape the way organizations across the region approach data privacy.

The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used. Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.

The GDPR threatens significant fines and penalties for non-compliance. It will mean an increase in the maximum fine the Information Commissioner’s Office (ICO) can impose upon companies who have not adequately protected themselves against data theft from £500,000 to £17 million (or four percent of turnover). Needless to say changes to the governance of data will have far-reaching consequences for your business.

But who does it effect? The answer, ‘Controllers’ and ‘Processors’ of data. It is important to understand the definition of these two terms and to know if you can be categorized as one. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU citizens.

It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.

It is essential to start planning your approach to GDPR compliance as early as you can. Note that some parts of the GDPR will have more of an impact on some organisations than on others, so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process.

Here at Assure UK, we seek to summarise the key changes that the new law will bring and to highlight the most important actions which organisations should take in preparing to comply with it. For further information, please contact us on 020 7112 8300 or email