The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR)

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the  1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google swap access to people’s data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.


Data Protection Act (directive 95/46/EC)


General Data Protection Regulation




DPA – Any person who’s suffered ‘material damage’


GDPR – Any person who’s suffered ‘material or non-material damage




DPA – Best endeavors / management commitment


GDPR – Appointment of Data Protection Officer for companies employing more than 250 people OR processing more than 5,000 subject profiles per annum




DPA – Data controllers only


GDPR – Both controllers and processors




DPA – No


GDPR – Parental consent required




DPA – Limited


GDPR – Explicit




DPA – Freely given, specific, and informed


GDPR – Clear, affirmative action with the ability to be withdrawn at a later date



1:  Personal data must be processed lawfully, fairly and in a transparent manner.

2:  Personal data must be collected for specific, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes.

3:  Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This means that the categories of personal data processed should be relevant to the purpose.

4:   Personal data must be accurate and up to date. This requires data controllers to put in place policies and procedures for ensuring that personal data is accurate and updated as required.

5:  Personal data must be retained for no longer than is necessary.

6:  Personal data must be processed in a manner that ensures appropriate security and protects against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational security measure.

7:  The data controller must be responsible for, and be able to demonstrate compliance with, the other principles. This principle is known as the “accountability” principle and is new under the GDPR.

The 7 Foundational Principles

  1. Proactive, not Reactive; Preventative not Remedial
  2. Privacy as the Default
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Lifecycle Protection
  6. Visibility and Transparency
  7. Respect for User Privacy