The EU General Data Protection Regulations – From the General to the Particular

The EU adopted the General Data Protection Regulations (GDPR) in May 2016. These regulations are of interest to anyone involved in creating, handling and treating data or to people whose data is held by others. This, when you come to think about it, is just about everyone these days.

As someone who has been involved professionally in treating protected data for more than two decades, I have a particular interest in this general set of regulations from the point of view of the data handler – and yet as a consumer, I have personally suffered from exposure to data breaches.

Hence my blog to help others understand the GDPR. To help me, I have called upon the services of six honest serving men. “… Their names are What and Why and When[,] And How and Where and Who.”Rudyard Kipling, The Elephant’s Child

What Is the GDPR?
The preceding EU Data Protection Directive 1995 was reviewed starting in 2012. The increasing number of data breaches affecting EU citizens and the high costs to organisations of remedying data breaches led to the 2016 review of EU data protection and the GDPR.

Costs of remedying a data breach have been estimated in 2016 at $4 million average per breach, $158 per record. The research is publicly available within the IBM/Ponemon 2016 Cost of Data Breach Study.

Why Regulations Rather Than a Directive?
In the EU, a directive is umbrella legislation that each member state adopts into its own national legislation. An EU regulation is prescriptive legislation applicable to all member states with no national variation.

Who Will GDPR Apply To?
Whereas the Data Protection Directive applies to those organisations that create data, the GDPR expands liability to any organisations that handle, store and treat data. This effectively means nearly all organisations in the modern world.

How Will GDPR Work?
For organisations proven guilty of a data breach, sanctions include fines of up to €20 million or 4 percent of their annual worldwide turnover. Individuals can also sue for compensation. The high costs of failure are meant as a deterrent in order to force organisations to take data protection very seriously.

Where Will GDPR Work?
Compliance will be required of any organization that stores the data of EU citizens – not just in the EU but also outside EU boundaries. The importance of international cooperation is set out in the EU US Privacy Shield guide.

When Will GDPR Come into Force?
The GDPR is effective as of May 25, 2018.

As you may have guessed, the EU GDPR are not simple directives and can’t be neatly summed up in one short blog. In fact, this blog has raised more questions – such as “Who in particular needs to be aware of responsibilities under the GDPR?” and “How can organisations be sure protected data is destroyed when no longer required?” These questions and more will be answered in follow-on blogs. Meanwhile, feel free to contact me to share your own questions or concerns about GDPR.


Gary Griffiths manages global partner compliance for Arrow Electronics, ensuring that Arrow and its global partners comply with local and international laws, regulations, and best practices. A Chartered Environmentalist and a Chartered Waste Manager with more than two decades’ experience, Gary has expertise in data security and compliance.

Say something