The General Data Protection Regulation or “GDPR” is a piece of legislation, adopted to replace the current 1995 Directive. The GDPR had a 2-year transitional period ending on the 25th of May 2018. By then all the affected organisations need to implement the measures regarding the protection of personal data.

The GDPR marks the beginning of a new era in personal data protection within Europe mainly for 2 reasons – the fact that it is a Regulation and not a Directive, meaning that member states are required to implement the law on a unified basis thereby creating a “one continent one law” AND the hefty fines introduced by it which highlights the importance of controlling and/or processing personal data of EU data subjects.

What makes GDPR even more powerful is that it is perceived as a global data protection law as a result of  the extraterritorial scope of the GDPR. This represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects. Thus, almost any organization (whether or not they are physically present within the EU will fall within the remit of the GDPR where they have access or control of personal data on EU data subjects).



GDPR has an extensive scope covering all organisations dealing with personal data of EU citizens. 

  • Are you a dentist in the UK? – You’re affected
  • Are you an online trader selling to EU customers? –You’re affected
  • Is your company operating with any kind of personal data relating to EU data subjects? –You’re affected
  • Are you a hairdresser that keeps records of your EU data subjects? –You’re affected
  • Are you an estate agent selling property to EU data subjects? You’re affected



  • Requirement of Express/Explicit Consent from data subjects
  • New principles regarding processing of personal data (e.g. Data minimisation, Retention period etc.)
  • Introduction of new data subject rights (e.g. Right to be forgotten, Data portability etc.)
  • The need to appoint a Data Protection Officer (DPO)
  • Introduced the concepts of Privacy by Design and Privacy by Default
  • New encrypting and security standards for protecting personal data (e.g. Pseydonimisation, Anonymisation, Encryption)
  • New and strict procedures regarding the notification in case a data breach occurs
  • Increased amount of penalties for failing to comply with the GDPR’s requirements

Check out the following video for a summary of the key changes.



Material breaches

  • up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.  
  • up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. 

Non-material breaches

  • Negative effect on the company’s reputation
  • Loss of potential clients and decreased trust of existing ones 
  • Never-ending court trials with the affected parties or with the data protection authorities