EU data protection law has come a long way over 

the last two decades.

When Directive 95/46/EC (the "Directive") was written in the mid-1990s, the highly networked and 

interconnected world in which we live today was merely a glimmer on the horizon. The internet itself was still

a fairly new innovation to many people. Many organisations did not yet have public websites. Concepts such

as online social media platforms did not exist—and certainly nobody had considered how they should be 

regulated. Consequently, courts and Data Protection Authorities ("DPAs") have increasingly had to adapt the 

Directive to a world it simply was not designed for.

Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") will replace the Directive. The 

GDPR was published on 4 May 2016, marking the end of a four-year legislative process. It introduces a raft 

of sorely needed clarifications and updates, which will carry EU data protection law forward, well into the 

next decade. It also introduces major changes to the compliance burden borne by organisations.

 

The GDPR represents a hugely significant step in 

the development of privacy as a concept.

It is difficult to overstate the importance of the GDPR. First, it is very wide-ranging, and will impact almost 

every organisation that is based in the EU, as well as every organisation that does business in the EU, even

if based abroad.

Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organisations 

do not take their data protection responsibilities seriously enough, and so the GDPR dramatically increases 

the maximum penalties for non-compliance to the greater of €20 million, or four percent of 

worldwide turnover—numbers that are specifically designed to attract C-Suite attention.

Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency; 

it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce

against organisations. Satisfying these requirements will prove to be a serious challenge for many 

organisations.

 

Enforcement of the GDPR is coming soon, and 

organisations need to be ready.

Early planning is essential. Enforcement of the GDPR starts on 25 May 2018. Organisations will find it very 

difficult to bring their business operations into compliance with the GDPR by this date unless they take its 

requirements seriously, and commit sufficient time and resources to satisfying those requirements. 

Because the GDPR affects almost all of the ways in which an organisation processes personal data, the 

scale of this task should not be underestimated.

Our Global Data, Privacy & Cyber Security Practice is ideally positioned to guide organisations through the 

process of understanding, and complying with, the GDPR. The breadth and depth of our experience in 

advising organisations on their data protection compliance obligations enables us to provide practical advice

on real‑world solutions to the complex problems that arise in this context, throughout the EU and beyond.

 

NEXT CHAPTER
Chapter 1: Introduction

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

For more information, please contact White & Case’s Seoul office.