General Data Protection Regulation (GDPR)
The European Parliament ratified the General Data Protection Regulation (GDPR) on 14 April 2016, and as of 25 May 2018, organisations are required to be in full compliance with the GDPR. This new legislation has been the most impactful change in Privacy and Data Protection regulation over the last decade, and affects organisations worldwide. The GDPR necessitates fundamental changes to the ways in which organisations approach data protection. Privacy risks need to be structurally mitigated through the implementation of core principles, such as lawfulness, fairness and transparency of data processing. Each organization is required to keep a detailed documentation in order to show accountability to the privacy authority.
1Implementation / enforcement 01/2012 - 12/2015
2Discussion / consultation 12/2015 - 05/2016
3Implementation / enforcement 05/2016 - 05/2018
4In effect 05/2018 -
Before the effectuation of the GDPR, enforcement possibilities of data protection regulators were limited. With the GDPR, this has fundamentally changed. The GDPR introduced fines that may amount to 4% of the global annual turnover. Furthermore, due to the requirement to implement Privacy by Design and Privacy by Default, organisations will have to include data protection considerations in the core of their business activities. In addition, the geographic scope of this legislation reaches all organisations that offer goods or services to EU-citizens and organisations that monitor the (online) behaviour of EU-citizens.
KPMG: Data Privacy