The EU’s General Data Protection Regulation

General Data Protection RegulationLast year, the European Union approved the General Data Protection Regulation, also known as GDPR. Boasted as this century’s most important update to data privacy regulation, this provision is aimed to create a more comprehensive, regulated system by improving Europe’s existing data privacy laws. With the amount of data breaches increasing each day, officials realized the urgency of the need to update the existing data privacy laws that were added in 1995 and guidelines created in 1980. The new regulation was passed in April of 2016 and companies have until May 25, 2018 to prepare for this new regulation.

The original Data Protection Directive addressed the variation in laws across the EU and the transfer of sensitive information to parties outside of the EU. These outside parties were required to have stringent data protection policies in order to receive information. Accountability for this regulation was ensured through Data Protection Authorities that were placed within each state.  However, because this was a directive rather than a law, there were questions on its enforcement.

Recently, two different cases were brought to the Court of Justice of the European Union regarding data privacy. The Weltimmo case regarded the ability of data protection regulators to handle matters within organizations outside of the EU. This case involved a Slovakian company who was sued in a Hungarian court. The court ruled that if an outside organization is mainly established in a member state, it is subject to the laws of that state. This prompted a collapse of the “Safe Harbour Agreement,” which regulated the transfer of EU citizen’s data to the US. With differing laws in the two state organizations, it became important to ensure companies were held to the standards the EU set out.

The new laws mandate a simple, legible consent process that clearly outlines the data collected and who it is being transferred to and allows citizens to opt-out of if desired.  Also, if there is a breach, customers and controllers must be notified within 72 hours. Today’s laws will apply not only to governments and businesses within the EU, but also any companies who process the personal data of its citizens. If a breach of core principals is detected, fines will equal either 4% of annual turnover or €20 Million, depending on which is greater.  Smaller fines for things such as failure to notify after a breach or failure to perform risk assessments will only equal to 2% of annual turnover.

This new legislation will be a tremendous improvement to existing laws regarding the privacy and protection of European Union citizens’ data. We look forward to seeing the results it has on each of these countries and learning from their new practices. Stay tuned to our blog for more IT regulation updates, tips and tricks, or company news!

Contact Us

To find out how we can help your organization, please contact one of our friendly sales representatives for a review of your system and a comprehensive (No Obligation) proposal of services. Call today toll-free at 800.614-7886 [Austin | Houston | Dallas | San Antonio] or email us at