The EU General Data Protection Regulation (GDPR) is the most significant change in data privacy regulation in 20 years. GDPR (Regulation EU 2016/679), adopted by the European Council and the European Commission on the 27th April, 2016, shall be going into full effect on the 25th May, 2018 at which time the organizations in non-compliance risk facing heavy fines. Serious infringements shall be penalized by fines of up to either €20 million or 4% of total annual worldwide turnover, whichever is higher.
GDPR replaces the Data Protection Directive 95/46/EC with the purpose to unify data protection regulation within the EU, to protect and empower all EU citizens’ data privacy and to force public and private organizations redesign their approach on the collection, storing and processing of personal data. Indeed, organizations of any size and regardless of whether they are located outside the EU (extra-territorial applicability), when processing EU citizens’ data, are required to undergo substantial structural changes in the way they operate.
“Controllers” and “processors” of data need to abide by the GDPR. The new obligations on data subject consent, data anonymization and transparency and privacy by design and by default, call for the implementation of comprehensive policies and incident response procedures with respect to a broad spectrum of factors, among which, the processing of the data from collection to destruction, confidentiality, data portability, breach notification and appointment of Data Protection Officers.
by Konstantina Theodosaki, Attorney at Law