The EU General Data Protection Regulation (GDPR) became directly applicable in all EU member states from 25 May 2018 and was expected to apply in the EEA EFTA member states (Iceland, Liechtenstein and Norway) in mid-July 2018. The GDPR replaces the EU Data Protection Directive (Directive 95/46/EC) dated 24 October 1995, and aims to establish a single set of rules throughout the EU, although EU member state data protection laws complement these rules in certain areas. The EU data protection authorities (DPAs) now gathered in the European Data Protection Board (EDPB) have published a number of guidelines on how to interpret and implement the new legal framework. This provides useful guidance to businesses on how to align their existing data protection practices with the GDPR.
Impact on businesses
The GDPR largely builds on the existing core principles of EU data protection law and expands them further while introducing new concepts that address the challenges of today’s data-driven economy. In addition, the GDPR launches a new governance model that increases the enforcement powers of DPAs, enhances cooperation between them and promotes a consistent application of the new rules. The most significant concepts of the GDPR affecting businesses are outlined below.
The GDPR is relevant to both EU businesses and non-EU businesses processing personal data of individuals in the EU. With regard to businesses established in the EU, the GDPR applies to all data processing activities carried out in the context of the activities of their EU establishments, regardless of whether the data processing takes place in or outside of the EU. The GDPR applies to non-EU businesses if they ‘target’ individuals in the EU by offering them products or services, or if they monitor the behaviour of individuals in the EU. Many online businesses that were previously not directly required to comply with EU data protection rules are now fully affected by the GDPR.