The final draft of the new European General Data Protection Regulation (GDPR) was agreed on 15 December 2015 and, once it has been approved by the European Parliament in early 2016, is expected to take effect by early 2018. This reform aims to update data protection law to address the challenges of the digital age while simultaneously protecting the rights of individuals and enabling businesses to utilise personal data in a more consistent manner across the European Union. The GDPR will be directly applicable in the same form in all EU Member States with the intention of reducing the burden on international organisations that, up until now, have had to vary their compliance to satisfy the particular data protection requirements of each Member State.
The key points to take away from the GDPR are as follows:
- International application of the GDPR
European data protection law will now apply depending on the type of data processing being undertaken and not necessarily depending on where that processing is being carried out. In addition to data controllers (persons that determine the purposes for which personal data is processed) that are established in the European Union, data controllers located outside the EU that process personal data in relation to offering goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will be subject to the GDPR. Non-EU organisations will need to consider whether their activities are caught by the GDPR and whether they must appoint a European representative to take responsibility for their actions.