Lead Forensics
Prettys Solicitors Ipswich


The General Data Protection Regulation (GDPR)

Global data flows are fundamental to modern communication and everyday commercial and social interactions. The General Data Protection Regulation (679/2016/EU) seeks to harmonise data protection law across the EU and transform the way in which personal data is collected, shared and used. It aims to strengthen the rights of individuals, particularly with regard to consent. The GDPR will see organisations held to higher standards than ever before in terms of their use of personal data, with severe penalties for non-compliance. Whilst it won’t apply until 25 May 2018, due to the onerous obligations it contains, many of which will take time to implement, its impact will already be being felt by organisations. Ensuring compliance is imperative as breaches will leave data controllers liable to fines up to the highest of 4% of global annual turnover for the preceding year, or €20m.

Cyber risk affects practically every business and nearly nine out of ten large organisations have suffered some form of cyber security breach. For most industry sectors within the EU there are currently no obligations to notify either regulators or affected customers of the breach. The GDPR seeks to change this, demonstrating that regulators are serious about improving data security.

Geographical Scope

The GDPR will apply whenever the use of personal data by an organisation relates to either the offering of goods or services to individuals in the EU, or the monitoring of those individuals behaviour. In this respect, virtually every website that uses tracking cookies or app that retrieves user information will be subject to the GDPR.

New Obligations for Data Controllers

The new GDPR imposes direct obligations and liability on data processors for the first time. These obligations include ensuring that appropriate security measures are implemented, maintaining appropriate records and cooperating with data protection authorities when requested to do so. Data protection authorities may use enforcement options against data processors and individuals may seek compensation directly from data processors that breach the new obligations.

Consent Rules and the ‘Right to be Forgotten’

The overall aim of the Regulation is to put individuals in control of their data. The GDPR contains stringent new conditions on data controllers to obtain valid consent from data subjects (Article 7). This includes ensuring that requests for consent are formulated in clear and plain language.

In addition, Article 17 introduces a ‘right to be forgotten’, meaning individuals have the right to request that their personal data be erased by the data controller. This includes instances such as where the data is no longer necessary in relation to the purpose for which it was processed, or where the data subjects have subsequently withdrawn their consent. Furthermore, the data controller who has made the personal data public should inform other third parties which are processing the data to erase any links to, copies or replications of, that data.

Providers must also take account of the principle of ‘data protection by default’, meaning that the default settings on social media sites for example, should be those that provide the most privacy. Individuals should be informed as clearly, understandably and transparently as possible about how personal data will be used, in order to allow them to decide what data they share.

EU to US Transfers of Data and the Privacy Shield

The European Commission adopted the EU-US Privacy Shield on 12 July 2016. It is designed to address the aspects of the safe harbour that the ECJ found to be deficient in the high profile court case of Schrems, which invalidated the Safe Harbour Agreement. The Privacy Shield aims to protect the fundamental rights of European’s when their data is transferred to the United States and to ensure legal certainty for businesses. For 15 years the Safe Harbour Agreement allowed both US and EU firms to bypass tough EU data transfer rules by stating that they complied with European privacy standards when storing information on US servers.

The Privacy Shield is fundamentally different from the Safe Harbour Agreement, seeking to address the concerns of the ECJ, as outlined in the Schrems ruling. The Privacy Shield imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. It creates a system of self-certification by which organisations commit to comply with a set of ‘Privacy Principles’. These include more stringent obligations on how personal data may be processed and individual rights guaranteed, as well as tougher liability provisions.

For companies headquartered in the US concerned about ensuring that they lawfully transfer personal data from the EU to the US, the Privacy Shield may be their best option. However, a concern for such companies will be complying with the onward transfer principle. This requires contracts to be entered into with third party data controllers providing the recipient with the same level of protection as the Privacy Shield principles. Such transfers will only be able to take place on the basis of a contract that provides the same level of protection as those guaranteed under the Privacy Shield principles.

Going forward, for EU companies carrying out business in the US, their primary goal is to comply with the GDPR. While the Privacy Shield imposes obligations similar to those found under the GDPR, the GDPR imposes far greater accountability measures on companies. Apart from transfers to jurisdictions that are officially declared by the Commission to be adequate, both controllers and processors may only transfer data outside the EU if they put in place appropriate safeguards, and on the condition that enforceable rights and effective legal remedies for individuals are available (Article 44). Thus if the goal is to ensure compliance with the GDPR, the Privacy Shield alone will not suffice, meaning many companies will need to rely on several legal mechanisms when transferring data globally.


The UK’s vote to leave the EU and the ensuing process of Brexit will have some impact in relation to the transfer of data. Unless the UK becomes a member of the European Economic Area post Brexit, it will effectively become a ‘third country’, putting it on the same footing as the US from a data protection perspective. Many businesses therefore wish for the UK to retain the GDPR upon leaving in order to ensure the continued free flow of data with the EU by enabling the UK to be an approved country with regard to providing adequate protection to personal data.

Any UK business which trades in the EU will have to comply with the GDPR despite Brexit taking effect. This is because the GDPR’s many obligations will apply to organisation located anywhere in the world which process EU citizen’s personal data in connection with their offer of goods or services, or their monitoring activities. Furthermore, any UK business which has a group company or staff operating within the EU will have to comply with the GDPR’s provisions. With so many businesses and services operating within the EU will have to comply with the GDPR’s provisions. With so many businesses and services operating across borders the Information Commissioner’s Office (ICO) has stated that “international consistency around data protection laws and rights is crucial both to businesses and organisations, and to consumers and citizens.” This suggests that the ICO will advocate that UK law should be brought in line with the GDPR post Brexit.



« Back



Legal 500LexcelConveyancingChambers UK