Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


Act Now: New Data Protection regime for the European Union.

Act Now: New Data Protection regime for the European Union.
Wednesday 8th June 2016

Following months of negotiation between the European Commission, European Council and European Parliament, agreement has finally been reached in relation to the new European data protection framework.

The new legislation will take the form of a regulation called the General Data Protection Regulation (GDPR). The GDPR will have direct effect, so will directly enforceable without Member States needing to implement national legislation.

The GDPR is unlikely to come into force any time before 2018 due to the need for continued discussion and approval of its contents. However, many larger companies are already taking steps to ensure that they are prepared to comply with it exhaustive and onerous requirements it places on data controllers, and we recommend that you do the same.

To assist you, here are some of the key changes likely to affect you:

Consent to data processing

Any consent given by a data subject will need to be specific, informed and unambiguous. It must be given freely and in writing or by affirmative action which signifies consent. If the data subject fails to provide a response to a consent request, consent will be deemed not to have been given.

The data subject must be able to freely withdraw or refuse their consent without experiencing any detriment.

Key point:

Consider whether any consent you currently have will be considered to be sufficient under GDPR.

Enhanced rights for data subjects

Data subjects will have the right to individual ‘data portability’ meaning that a data controller or processor, if requested, must transfer the personal data it holds for that individual to any organisation requested by the individual.

Data subjects will also benefit from the ‘right to be forgotten’. If requested, organisations will be required to erase any personal data it holds which relates to that individual. Organisations will also be required to contact third parties, where applicable, and notify them of the data subject’s exercise of the ‘right to be forgotten’.

Data controllers and processors will be able to continue to process individual data, regardless of a request of erasure, if there is a legitimate reason for doing so. However, the burden of proof will be on the data controller or data processor to show that there is a legitimate reason for continuing to process the data.

Key point:

Does your organisation effectively categorise its personal data and will it be able to efficiently locate and destroy all personal data it holds for a particular individual, if so requested? What are the likely legitimate grounds for you retaining and continuing to process the data?

Data Breach Notifications

Data controllers must notify their respective Data Protection Authority (DPA) of any data protection breaches without undue delay, and within 72 hours where possible. If this timeframe is not met, data controllers must provide a justified reason as to why.

However, this notification requirement will not apply unless there is a risk that the rights and freedoms of that data subject will be affected.

Data controllers must also inform the data subject likely to be affected, without undue delay, if there is a “high risk” of it affecting their individual rights and freedoms.

Key point:

What mechanisms and processes does your organisation have in place to quickly identify breaches of data protection? How and by whom are such breaches dealt with? What are the possible justifications for your organisation delaying notification to a relevant DPA?

Your organisation may wish to consider creating and implementing clear policies and procedures relating to the monitoring and assessment of data protection risks and breaches. 

Data Protection Officers for Public Authorities

If you are a public authority who processes or controls personal data or either i) the core activities you carry out require monitoring of a large number of data subjects by their very nature, or ii) the core activities you carry out process special categories of data on a large scale, you must designate a Data Protection Officer (DPO).

DPOs will be responsible for managing effective data protection and data security processes which relate to the personal data held by the data controller or data processor. As such, the DPO will need sufficient expert knowledge.

Key point:

Does your organisation need a DPO? If so, do you currently employ an individual who is sufficiently skilled to be a DPO? If not, are you able to train existing employees?

Territorial Reach

Data controllers and data processors who principally operate outside the EU may be caught by GDPR if its activities relate to the offering of goods or services of EU data subjects. This may also be the case if such controllers or processors monitor the behaviour of EU data subjects.    

Organisations are likely to be deemed to offer goods or services within the EU if they use the language or currency generally used in one or more Member States, or if they make reference to EU customers or allow EU citizens to easily place orders with the organisation.

Key point:

Does your organisation primarily operate outside the EU? If not, does your organisation contract with other organisations which primarily operate outside the EU?

If you contract with an organisation outside the EU, it may be favourable to ensure that such organisations comply with the GDPR as they will be required to. This offers your organisation and your organisation’s customers greater security.


A tiered approach to fines will be adopted in the GDPR.

Less serious, ‘low level’ data protection breaches may attract fines of up to €10 million or 2% of an organisation’s annual global turnover, whichever is greater. More serious breaches, such as significant breaches of basic data protection principles, may attract fines of up to €20 million or 4% annual global turnover, whichever is greater. 

Key point:

Your organisation should ensure it complies with its data protection principles in order to avoid sanctions entirely, particularly given the potential high value of such fines.