General Data Protection Regulation (GDPR)

 

Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers. A key change is the introduction of fines of up to €20 million or up to 4% of global annual turnover, whichever is greater. This is a huge increase from previous fines (for example in the UK, the maximum possible fine under previous legislation was £500,000).

GDPR is extraterritorial in its scope, which means that there are circumstances in which GDPR can apply to companies around the world. Even where companies aren’t based in the EU, GDPR applies to all those offering goods and services to individuals in the EU (irrespective of whether the individuals have to pay) and/or monitoring the behaviour of individuals in the EU (this includes online tracking).

Companies that are operating both in and outside of the EU will have to adapt their practices, at least for all data processing that falls under the GDPR. This raises the question as to whether companies are going to raise standards across the bar or make a deliberate choice to implement a dual standard, where for example, individuals outside the EU are less protected. Many companies have yet to make their position clear.