EU General Data Protection Regulation comes into force

Implementation date: 25 May 2018

The EU General Data Protection Regulation (EC) No 45/2001 replaces the current Data Protection Directive (95/46/EC).

Key details

In January 2012, the European Commission announced its intention to reform the current data protection provisions stating that reform is necessary to strengthen online data protection rights and boost Europe's digital economy by harmonising data protection rules across the European Union. The Commission proposed that the current Directive be replaced by a Regulation, which means that it will be binding on every member state and will not need to be transposed into national law. The Regulation will harmonise data protection across the EU and will extend to include all foreign companies processing data of EU residents. The Regulation:

  • provides for the creation of a single data protection authority instead of the supervisory authority of each member state and the creation of data protection officers for all public authorities and companies processing high volumes of data;
  • provides for the imposition of a fine of 20 million euros or 4% of global turnover, whichever is greater;
  • requires the positive consent of individuals to have their data processed;
  • provides for the notification of breaches to the data protection authority; and
  • extends the special categories of information such as trade union membership and religious belief or political opinion to include information relating to health.

The Information Commissioner's Office has published Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now and Guidance: what to expect and when, providing advice on steps that can be taken in preparation for the coming into force of the Regulation.