The Regulatory Imperative of the GDPR, Part 1


The GDPR is the new regulation on data protection for personal data across the EU. It replaces the earlier 1995 EU Directive on data protection, bringing a newly modernized and harmonized regulation for all EU member states. It raises the game on data protection in some significant areas, while continuing with the foundational principles of the original Directive.


  • First, it is likely to apply to all organizations, even those not based in Europe, because it mandates certain protections and provisions for any organization that controls or processes personal data on EU residents where processing is related to offering goods or services (“irrespective of whether a payment of the data subject is required”) or monitoring behavior that takes places place within the EU (Article 3). Being located outside of the EU does not grant an exemption to a data controller.
  •  Second, the cost of non-compliance is significant, with a financial penalties regime of up to a €20 million fine or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.


In 1995, the EU released a directive on the protection of personal data to be applied across all members of the Union. It enshrined the right of residents within the EU to the protection of their personal data, and imposed certain obligations regarding the handling and processing of personal data on organizations located within the Union. As a directive, however, Member States were free to specify the obligations in different ways, leading to inconsistency in the regulation of data protection across the EU, and a host of negative downstream consequences for organizations doing business across multiple states.

In May 2016, after four years of exploration, discussion, and negotiation, the 1995 Directive was replaced by a common regulation – Regulation (EU) 2016/679 – commonly called the General Data Protection Regulation (GDPR). Except where permitted in the GDPR, member states are no longer free to add nuances in the implementation of the law because the new law is a common regulation instead of a directive. The legal framework from the Directive has been carried forward, updated for the current data protection, security and associated technological landscape of 2016, and certain new far-reaching requirements have been introduced. The 1995 Directive is “repealed with effect” from 25 May 2018 (Article 94), the same day the new regulation goes into full effect.

 It is worth noting that the GDPR is complemented with a specific directive for the collection and processing of personal data related to criminal proceedings, and while there is commonality between the new Regulation and the new Directive, the specific provisions and requirements under Directive (EU) 2016/680 are not the focus of this white paper.


The scope of the GDPR is “personal data”, which is defined in Article 4 as “any information relating to an identified or identifiable natural person ... who can beidentified, directly or indirectly ... by reference to an identifier.” Identifiers listed in Article 4 include name, identification number, location data, and other identifying factors, such as physical, mental, and cultural, among others. While that represents a broad scope of personal data, not all data collected or processed by an organization is personal in nature. Of particular note is that previously collected personal data that has been fully anonymized and cannot be re-identified to an individual is excluded from the compliance requirements of the GDPR, enabling its use for data analytics, for example.

The Regulatory Imperative of the GDPR, Part 2