The European Union GDPR: An Action Guide

The full regulation covers many areas. The top ten provisions are:

  1. Increased fines. Fines can be up to 4% of global turnover or €20M, whichever is higher.
  2. Opt-in consent. Users must give clear, unambiguous consent for you to use their data and you must only use it for the purpose defined.
  3. Breach notification. The local supervisory authority (see Supervisory Authorities & Their Responsibilities) must be informed within 72 hours of any data loss and users informed «as soon as possible».
  4. Territorial scope. Any organization with data on EU residents has to conform, wherever they are based.
  5. Joint liability. Data controllers and data processors are jointly liable for data loss incidents.
  6. Right to removal. Users have the right to demand the removal of their data.
  7. Removes ambiguity. One law across the EU.
  8. Data transfer. Transferring data outside the EU is allowed, but the data controller is ultimately responsible if data is lost via a non-EU cloud provider.
  9. Common enforcement. The enforcement agencies are expected to enforce consistently across all the countries.
  10. Collective redress. Users can work together to sue using class action lawsuits.

Who does it affect?

GDPR applies to any organization (commercial or governmental) globally that collects, stores, or processes data on EU individuals. The law is an expansion of the previous directive which only affected data controllers and could only be enforced on organizations themselves based in the EU. Data processors are now jointly liable with data controllers, so if your organization collects data on individuals and then outsources the processing of that data to another entity, both you and they are jointly liable for that data.

Data controllers outside the EU

Some data controllers based outside the European Union have, in the past, claimed that they are not subject to the directive because they are not based in one of the 28 countries of the EU. The regulation makes it very clear that anyone, wherever the organization is based, is responsible if they are processing data on European data subjects.

An organization does not need to have a legal presence in a particular EU country for the courts to decide that it is responsible there to the supervisory authority.

Definition of personal data

The law has been written in a way that does not specify everything that is personal data to ensure the law does not become out of date if a new way of identifying people appears. Broadly speaking, any data that identifies a living person is considered personal data.