by Robert Bond
The EU General Data Protection Regulation (GDPR) will hit many companies hard on 25 May 2018, and
preparation for GDPR will increase the need
for compliance for a number of reasons. GDPR
is applicable to any business that
processes personal data in relation
to citizens in the EU, wherever that
business is in the world.
GDPR sets out six lawful grounds
for processing personal data, of which
consent is only one ground. Whilst
there is no doubt that consent is
necessary in many cases (particularly
where the data is sensitive), other lawful
grounds, such as contractual necessity and
legitimate interests, are something that the
compliance team will need to focus on.
As GDPR introduces key principles, such
as transparency and accountability, businesses
will need to ensure that their privacy notices
and mechanisms are spelt out in plain and
intelligible language, and that there is an
audit trail of when and how permission was
obtained. For businesses that process large
volumes of personal data and/or process
sensitive data (special categories of data) as a
core activity, there will be a need to appoint a
data protection officer to oversee compliance
As GDPR increases the range of personal
data rights for individuals (e.g., access,
portability, and erasure), so the compliance
team will need to ensure that there are
appropriate policies and standard operating
procedures in place to deal with individuals
who exercise their rights.
GDPR places an obligation on controllers
to ensure they have suitable data-processing
agreements in place with processors to whom
The impact of the EU GDPR
» Understand that the European Union (EU) General Data Protection Regulation (GDPR) impacts most businesses from
25 May 2018, even corporations that have no EU affiliates but still target citizens in the EU.
» Realise that GDPR imposes strict processing obligations on controllers and processors of personal data.
» Recognise that personal data covers much more than personally identifiable information (PII).
» Appreciate that individuals will have enhanced rights over their personal data, such as rights of access, erasure, and
rectification, as well as data portability and the right to object to profiling.
» Learn that failure to comply with GDPR may lead to increased scrutiny and fines, and aggrieved individuals will have
rights to compensation.
GDPR sets out six lawful
grounds for processing
Robert Bond ( firstname.lastname@example.org) is a Partner & Notary Public at
Bristows LLP in London, UK.