Call us 9am-5pm Mon to Fri0161 233 4499

EU General Data Protection Regulation Takes Shape

By CIEEM Insurance Services

In December, the European Parliament and Council agreed upon the final structure for the General Data Protection Regulation (GDPR) proposed by the European Commission in January 2012. The regulation was designed to unify data protection legislation across all 28 EU member states, and it requires all foreign companies to adhere to its statutes if they want to conduct business with a company in the EU. In addition, the regulation is expected to strengthen data protection for EU citizens, set clear and modern rules for businesses, and bolster data protection legislation. These objectives are expected to be met through the introduction of significant changes to the following two areas:

  1. Data subjects

A data subject refers to any individual who is the subject of personal data—which includes all information that can identify and refer to that living individual. The regulation will create the following:

  • A new right to ‘data portability’, which will enable data subjects to transfer their personal data between service providers
  • A clarified ‘right to be forgotten’, which will guarantee that if subjects do not want their data to be processed any longer and if there are no legitimate grounds for retaining it, then their data will be deleted
  • The possibility of contesting targeted online advertising
  • Specific protection for vulnerable data subjects
  • Methods of facilitating action against non-compliant data controllers
  1. Businesses

Under the GDPR, businesses will be required to do the following:

  • Establish a principle of accountability for the personal data that they are responsible for managing
  • Ensure that data protection safeguards are built into products and services
  • Complete data protection impact assessments which outline their procedures to effectively protect personal data
  • Appoint a data protection officer, who will advise on situations involving data protection law, and will develop a business’ privacy and data protection policies
  • Report data breaches that would likely harm data subjects to the national authorities within 72 hours

In addition, businesses will no longer be required to notify the local data protection authorities, which is expected to save an estimated £100 million. However, if a business fails to follow any obligations outlined by the GDPR, the data protection authorities have the capability to issue a fine of up to 4 per cent of its total turnover.

Although the GDPR has not yet been formally adopted, the European Parliament and Council expects to do so in the coming weeks. After formal adoption, the GDPR will come into force in 2018. Your business should utilise this time in between to implement the required practices listed above.


To read more download the full full edition of Cyber Risks and Liabilities – January|February 2016

View the complete document archive