MHC Tech Law: What will the General Data Protection Regulation mean for business?

29 Mar 2016

Under the GDPR, a failure to adequately protect data could lead to large fines

Mason Hayes & Curran introduces the General Data Protection Regulation, which was agreed upon at the end of last year, and looks at what it will mean for businesses.

In December 2015, three years after the first draft was proposed, and almost 20 years since the Data Protection Directive was adopted, EU lawmakers came to agreement on the reform of data protection law. The new General Data Protection Regulation (GDPR) was agreed upon and is currently in the process of formalisation and translation.

The General Data Protection Regulation is expected to come into force in 2018. Let’s take a look at this piece of legislation and some of the implications for businesses.

What is the General Data Protection Regulation?

The GDPR will replace the current Data Protection Directive.

As a Regulation, and unlike the preceding Directive, it applies directly. This means that the GDPR does not need to be implemented through each member state’s national law. This should reduce the level of national variation in relation to data protection law, though it will not eliminate it entirely, as member states retain some discretion in certain areas.

The GDPR will comprehensively regulate data protection throughout the EU (with the exception of data processed for law enforcement purposes). The GDPR builds upon familiar concepts and rules in the Data Protection Directive, but in many ways it goes further. It has wider scope, standards have been raised, and sanctions are much higher.

What does it mean for businesses?

With a greater level of harmonisation of laws across the EU, it should be easier for businesses that sell goods or services across the EU to take a unified approach in multiple EU states. However, the compliance burden is generally greater than that currently in place, so many organisations will have to review and enhance their existing practices.

In particular, the introduction of the ‘accountability’ principle means that affected organisations will have to work on their internal compliance, including record keeping and, for some, the appointment of a data protection officer.

Businesses have some time before the GDPR comes into effect. However, getting to grips with a new compliance framework takes time and, when developing any new products or projects, an eye should be kept to the future.

Why is it important?

The GDPR represents the future of the regulation of data protection in the EU. It is particularly important for two reasons. First, the GDPR has a very wide scope and will capture both data and companies that previously fell outside the realm of EU data protection regulation. Second, the potential fines under the GDPR are extremely high.

The GDPR provides for a two-tier system of fines, depending on the type of non-compliance. For the lower tier of offences, a fine up to the higher of €10m or 2pc of the organisation’s total worldwide annual turnover in the previous year may be imposed. The lower tier of offences includes breach of privacy by design obligations, the rules relating to processor contracts, record-keeping obligations and processing security requirements.

For the upper tier of offences, there is potential for fines up to the greater of €20m or 4pc of the organisation’s total worldwide annual turnover in the previous year. Offences that attract the higher level of sanction include breaches of the basic principles for processing, including conditions for consent, infringing data subjects’ rights and unlawful transfers to countries outside the European Economic Area.

For group companies, the percentage fine seems to attach to the turnover of the group, not just the individual company in question. For large multinationals, this is a particularly significant deterrent.

There are a number of factors that the data protection authority must consider when deciding the amount of the fine to be imposed, including:

  • The nature, seriousness and duration of the infringement
  • Whether the infringement was intentional or negligent
  • Actions taken to mitigate the damage suffered by data subjects
  • Relevant previous infringements
  • Whether the wrongdoer co-operated with the data protection authority
  • The categories of personal data affected.

What next?

As the finalisation and translation of the GDPR is currently in progress, we can expect the GDPR to be formally adopted in the coming months.

The Article 29 Working Party (the group of EU data protection regulators) has released a statement indicating that its priorities will be:

  • Setting up the new European Data Protection Board. The Board will replace the Article 29 Working Party and have an enhanced role under the GDPR
  • Preparing the one-stop shop and consistency mechanism.
  • Issuing guidance, in particular on data portability, the notion of ‘high risk’ and data protection impact assessments, data protection officers and certification
  • Communication relating to the new European Data Protection Board and the GDPR.

We will be continuing to look at key aspects of the GDPR throughout the coming weeks and months, so stay tuned for more updates in this area.

The content of this article is provided for information purposes only and does not constitute legal or other advice. 

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Files on a shelf image via Shutterstock