After over four years of discussion, the new EU data protection framework was adopted on 8 April 2016. It takes the form of a Regulation – the General Data Protection Regulation (GDPR). The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will take effect on 25 May 2018. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact.
The Regulation mandates considerably tougher penalties than the DPA: organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.