Data Protection Regulation

General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It is designed to harmonize data privacy laws across Europe, in an increasingly data driven world. The aim is to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Summary of Key Changes

Increased Territorial Scope (extra-territorial applicability)

The biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR.  Applicable to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.


Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. Enforcement date: 25th May 2018


Conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form (clear plain language), with the purpose for data processing attached to that consent. C It must be as easy to withdraw consent as it is to give it.​

Further Information at EUGDPR.ORG and