Data protection – the General Data Protection Regulation (GDPR)

Article Index


  • The General Data Protection Regulation (GDPR) will harmonise data protection rules across all the EU member states from 2018. This will involve among other things:
    • the potential for much tougher penalties: maximum fines of €20 million or 4% of worldwide turnover, whichever is higher
    • a new duty to notify data protection authorities of a data breach within 72 hours, and if the risk to individuals is high they must be notified as well
    • a greater emphasis on giving individuals control of their data
    • higher standards for effective consent to data processing
    • new measures to increase accountability, e.g. the requirement for a data protection policy and new record keeping obligations
    • additional data security requirements, including an obligation to impose contractual conditions on other businesses which will process personal data for the organisation, and
    • an obligation for public authorities and public bodies to appoint an independent data protection officer who will have a role similar to that of an auditor
  • The GDPR is a regulation, not a revised directive. The significance of this is that it is directly applicable in member states without the need for additional implementing national legislation. 
  • Employers need to be reviewing what personal data they process and their policies and procedures relating to such data. They will also need to consider commercial contracts and make sure that any organisations to which they transfer personal data are also compliant with the GDPR. 
  • The issues for HR to consider are summarised below and an action plan is included.
The full version of this article is available to subscribers only. To read the full article you must sign in.
Or Subscribe
Find out more about subscription