Select Page

Key Changes

The GDPR represents an evolution of privacy law. What was once best practice, has morphed into mandatory legal requirements. With the threat of fines of up to 4% of annual worldwide turnover or €20million, failure to adequately prepare could not only affect a companies’ bottom line, but also its customer relationships and brand reputation.


Broader Scope

  • Obligations on both controllers and processors
  • Extraterritorial application to foreign controllers and processors
  • Wider definitions
  • Processing data of children under 16 requires parental consent


  • Risk-based approach
  • No national registration of processing or prior authorisation
  • One-Stop-Shop: lead regulator for pan-European matters, in cooperation with other regulators; local regulator for local matters and redress for individuals

Increased Obligations

  • Data protection principles tightened (consent, transparency)
  • Direct obligations and liability for processors
  • Accountability and Data Protection Officers
  • Internal record of processing
  • Mandatory Privacy Impact Assessments
  • Privacy by Design and Default
  • Mandatory breach notification to regulators and individuals
  • New profiling rules

    Strengthened Individual Rights

    • Right to information and data access
    • Right to rectification and erasure (“right to be forgotten”)
    • Data portability
    • Right not to be subject to decisions based on automated processing

    Increased Enforcement & Liabilities

    • Administrative fines up to 4% of annual worldwide turnover
    • Individual actions
    • Class actions
    • Criminal sanctions (in national laws)
    • Larger role for European Data Protection Board (EDPB)