The General Data Protection Regulation (commonly abbreviated to GDPR) is a replacement for the European Union Data Protection Directive which has governed the Protection of Personal Data in the European Union (EU) since 1995.
Since the original directive was passed, there have been a series of rapid technological and business advances which have brought new challenges to the use and protection of personal data. As a result, there was a desire to produce an updated set of regulations to reflect the new technological and business landscape.
In addition, the Lisbon Treaty created a new legal basis for a modernised and comprehensive approach to data protection, including the free movement of data within the EU.
Furthermore, the GDPR was designed to resolve three issues that have become apparent with the implementation of the original legislation:
- There has been an inconsistent approach to the application of data protection across the European Union which has created barriers for business and public authorities due to legal uncertainty and inconsistent enforcement.
- Difficulties for individuals to stay in control of their personal data.
- Gaps and inconsistencies in the protection of personal data in the field of police and judicial co-operation in criminal matters.
As part of the free movement of data within the EU, the GDPR gives data subjects (typically EU citizens) a series of enhanced rights with respect to their data. The cumulative effect of these rights mean that companies need to understand what data they hold and why they hold it. This is important as fines for the most serious data protection breaches will be 4% of worldwide turnover, or €20 million (whichever is higher).
This regulation will require banks to know who in their supply chain receives personal data, where and how it is processed and who has access to the data. This will be an onerous task and banks will need to partner with their technology providers to provide solutions.
Data security will be vital, as any data breach will need to be reported to the regulatory authorities within 72 hours and to inform their customers of any data breach that effects them; resulting in both reputational as well as financial loss.
The key dates for the General Data Protection Regulation are the following:
- 27th April 2016 – The GDPR is adopted
- 25th May 2018 – GDPR comes into force
One key point to recognise is that to ensure a consistency of approach across the European Union, the GDPR is a regulation and not a directive. As it is not a directive, it does not need enabling legislation by national governments to come into effect.
GDPR will require banks to know who in their supply chain receives personal data, where and how it is processed and who has access to the data. This will be an onerous task and banks will need to partner with their technology providers to provide solutions.