What are the key changes under the GDPR that will affect organisations from 25 May 2018?


Unlike the existing legislation, the GDPR is a Regulation. The reason for this is that data protection is seen as the cornerstone to the digital economy - therefore it is important that there is uniformity across Europe.

Processor Obligations

The Data Protection Act (DPA) only applies to data controllers.  For the first time the GDPR places statutory obligations on data processors. There are express provisions in relation to what data processors can and cannot do and data processors will also be subject to the Information Commissioners Office's (ICO) new enforcement powers.

Territorial Scope

The GDPR will apply to organisations that are based outside of the EEA, even where those organisations do not have a physical presence within Europe, where they are offering goods or services to European residents, or if they are monitoring the behaviour of European residents.

Increased Fines

Under the DPA the ICO has the ability to issue a maximum fine of £500k per breach.  The GDPR creates a new two tier regime.  The maximum fine for the most serious infringements (such as not gaining sufficient consent for processing) is up to 4% of annual global turnover or €20 million (whichever is greater). Administrative failures (such as failing to report breaches) can result in a fine of up to 2% of annual global turnover or €10 million (whichever is greater).

Breach Notification

Under GDPR data processors must report all breaches to the data controller without undue delay and data controllers must, subject to some exceptions, report all breaches to the ICO within 72 hours of becoming aware of the breach.  There are also circumstances where individuals must be informed of breaches relating to their personal data.

Data Protection Officer (DPO)

A DPO with expert knowledge of data protection law must be appointed at most public sector organisations.  Organisations that carry out large scale systematic monitoring of individuals or large scale processing of sensitive personal data must also appoint a DPO.

In addition to these key changes there are additional recording keeping and evidential requirements running through the GDPR.  Privacy Impact Assessments and Privacy by Design are also given statutory footing.

See our article: GDPR - how can I start to prepare? for a summary of the initial steps that all organisations should take to start preparing for GDPR.

Send us a message