A Simple Guide to Complex GDPR Legislation

Posted on: August 20, 2015 by Mark Roberts

General Data Protection Regulation (GDPR) – a single law

In Varietate Concordia: translated as Unity in Diversity, the official motto of the European Union, encapsulates the hopes that Europeans can be united in working together for peace and prosperity. This sentiment is at the heart of all developments – from the abolishment of passport controls within the Schengen Area through to its recent plans for a Digital Single Market.

And it is once again present in the European Commission’s attempts to unify data protection within the EU through  the General Data Protection Regulation (GDPR) – a single law, applicable to all 28 member states, which aims to build trust within the region and bring data protection up to date in light of new technological developments such as cloud, social and mobile.

In the past, European countries have adopted different approaches and interpretations to data protection making it difficult for non-EU organisations to demonstrate compliance easily – often leading to confusion among citizens. A new single harmonized Data Protection Regulation will go a long way to resolve these issues, making it easier for non-EU companies to operate in a single European market and providing increased confidence for its citizens.

There is a constant tension between the ability to do increasing amounts of business online and the right to privacy, with consumer data being properly safeguarded. GDPR attempts to define where that balance should be, identifying a number of rights for citizens and a number of responsibilities that organisations must adhere to.

Key principles

Although GDPR is still being finalised and thus its final composition is yet to be determined the Regulation is expected to enshrine a number of key principles:

  • The Right to be Forgotten – following a recent court ruling in Spain, this right enshrines the principle of a data subject (typically an individual citizen) has the right to request that personal data held on them inappropriately must be erased.
  • Consent – it must be made clear whenever an organisation wishes to collect and use citizen data, with organisations expected to be able to prove that consumers have opted in.
  • Data Portability – citizens are expected to gain the right to request a copy of all personal data being processed on them.


And with these rights come a number of responsibilities for organisations:

  • Data Breaches will need to reported to authorities as soon as they are detected;
  • A Data Protection Officer will need to be appointed and interface with the national supervising authority;
  • Failure to comply with the new GDPR could in extreme cases result in a fine of up to 5 per cent of the company’s annual worldwide turnover.

Personal data of EU residents

Crucially, for citizens, the GDPR applies to ANY organization processing personal data of EU residents – even if they are based outside of the European Union. This means anything from a name or email address to a photo posted on a social media site. It is particularly applicable to sensitive data such as medical records or bank details. And one of the biggest differences is that this is a Regulation, not a directive, meaning that every EU member state will be bound by it after a two-year transition period and does not require any further legislation to be passed by Governments.

Next time I’ll be looking at the key challenges facing General Data Protection – from the regulation’s implementation and enforcement, through to the issues for organizations looking to comply…

Share this blog article

About Mark Roberts

Associate Partner at Atos Consulting and Head of our Information Governance Risk and Compliance Practice
Mark is an Associate Partner at Atos Consulting and Head of our Information Governance Risk and Compliance Practice in the UK. Mark has over 20 years’ experience in business. He is an experienced consultant having worked for a wide range of clients for both PwC Consulting and IBM Business Consulting Services. He also has a strong technical and security background having worked for the UK Ministry of Defence and more recently for QinetiQ, a Defence and Security Technology Services company. Mark joined Atos Consulting in 2013 where he led and grew the UK’s Information Security consulting practice from 25 to 50 consultants in the space of 18 months. He was then responsible for developing our global security consulting capability and more recently was instrumental in setting up a new consulting capability in the focused on Digital Transformation. Mark has recently rejoined the UK Practice to lead a newly formed Practice of about 60 consultants focused on all aspects of Information Governance, Risk and Compliance including Organisational Risk, Operational Resilience, Business Continuity, Information Security and Information Management. The Practice’s objective is helping its clients stay safe and compliant in the ultra-connected Digital Age and enabling Digital Transformation programmes by understanding and managing potential new information related risks and issues (e.g. new security risks, privacy and data protection legislation, risk and resilience).

Follow or contact Mark