A Cheat Sheet for the General Data Protection Regulation

August 13 13:57 2015 Print This Article

We all know it’s coming, we just don’t know precisely what “it” is yet. The General Data Protection Regulation (“GDPR”) has now moved to the trilogue stage of the EU legislative process, with the three EU institutions – the Commission, Parliament and Council – trying to negotiate a final text. Those leading the charge for the GDPR in Europe are optimistic that the final text will be agreed by the end of the year, leaving organisations that process personal data two years to implement the new law before it comes into force at the start of 2018.

This ‘cheatsheet’ provides a quick overview of the story so far and what has been proposed in each of the draft texts produced by the Commission, Parliament and Council.

The story so far

  • The current law is the EU Data Protection Directive 1995 (95/46/EC), implemented slightly differently in the domestic legislation of each member state. In the UK, this is the Data Protection Act 1998.
  • The proposal is to replace this with a Regulation, which would therefore be directly applicable in each member state without the need for implementing legislation.
  • The legislative process has been ongoing for more than three years, and there are three published versions of the draft Regulation:
  • The initial proposal by the Commission, published in January 2012.
  • The EU Parliament’s revised version of the Commission’s draft, approved by the Parliament in March 2014.
  • The EU Council’s draft, finalised on 11 June this year.
  • The process has now entered the ‘trilogue’ stage. This is where the Commission, Parliament and Council conduct informal negotiations, prior to the formal readings of the text before the Parliament and Council, in order to reach a closer agreement on the text before the actual votes take place.
  • The current expectation is for the legislation to be approved by the start of 2016. There will then be a two year implementation phase, and the law will come into force at the start of (or mid) 2018.

Highlights from the three drafts

The proposed drafts are very very long (approximately 140 Recitals and nearly 100 Articles); the below is therefore intended to be headline changes only, and not a comprehensive overview. There is also some significant variation between the three drafts which we have tried to highlight below. Where wording is square-bracketed, this indicates that it does not appear in all three texts.

  • The general concepts stay the same. The GDPR will still have the concepts of controllers and processors, with the majority of obligations on controllers. The definitions of “personal data” and “sensitive personal data” stay broadly the same. There are the same obligations regarding notice, processing grounds, proportionality, data transfers etc.; the key change is that the rules get a lot more detailed (and therefore more prescriptive).

1. Jurisdiction

  • Territorial scope: The territorial scope of the existing Directive is somewhat complex (particularly after the Google Spain “Right to be forgotten” ruling). The GDPR will simplify the situation for non-EU based controllers: the GDPR will apply to these organisations if they are offering goods and services to individuals in the EU (irrespective of payment).
  • The ‘one-stop-shop’: A highly controversial proposal, since it involves some Data Protection Authorities (“DPA”) potentially giving up their powers to regulate controllers based in more than one jurisdiction. The initial idea was that a controller based in more than one member state could designate a ‘lead’ DPA where their main establishment was based. All regulatory action would then be the lead DPA’s responsibility. However, it looks likely this will be watered down so that other DPAs still have a role – and individuals can still bring complaints to their local DPA. So more of a several-stop-shop then…
  • No more obligation to register with the local DPA: A attempt at red-tape cutting by the EU, which is likely to be welcomed by most organisations.


  • Data Protection Policies: Requirement to have (concise), transparent, clear and easily accessible policies. There are somewhat prescriptive requirements in this regard e.g. you must identify the purpose of the processing, your retention periods, and state whether the data is encrypted. The Parliament has suggested standardised icons (similar to traffic light food labelling), which controllers can use to quickly inform people.

3. Accountability

  • An entirely new principle: For the first time, data protection compliance will not only be about what happens when things go wrong. Organisations will also need to be able to demonstrate they are consistently complying with the GDPR in their ordinary course of business. Essentially, this means organisations will need to have compliance policies in place (which may need to be reviewed every (2) years). There is also a requirement to document data processing activities. Under the Parliament text, this principle will also apply to processors.
  • Privacy by design & Privacy by default: Privacy can no longer be something you can ‘add on’ afterwards, but should be factored into products and procedures from the design stage onwards.
  • Risk assessments and Privacy Impact Assessments: Already good practice, “PIAs” become mandatory under the GDPR.
  • European Data Protection Seal: DPAs and/or accredited auditors may have the power to grant a data protection ‘seal’ to organisations who can demonstrate a sufficiently high level of compliance.

4. Individual rights

  • Continued strong focus on consent. There is still much debate as to whether consent should be “explicit” (Commission and Parliament texts) or “unambiguous” (Council text); and also whether this makes any difference in reality…
  • Subject Access Right is broadened, as individuals will also have a right to know, amongst other things, retention periods and a description of the consequences of the processing. However, the carve-out for ‘mixed’ personal data (i.e. personal data about more than one individual) is stronger than under the UK Data Protection Act.
  • A ‘right to be forgotten’: Still up for debate. Introduced in the Commission text, but amended in the Parliament text to be only a ‘right to erasure’; ‘forgotten’ is back in the Council text. It looks likely it will apply when the controller is relying on the “legitimate interests” criteria, unless the controller can demonstrate its compelling legitimate interests override the objections of the data subject.
  • Other rights: Right to object to profiling, right to data portability. Note that in the Parliament text this has been deleted, and in the Council text it only applies where the processing is based on consent or performance of a contract.


  • Essentially stays the same. A missed opportunity to fix the problem of data transfers in the internet-age. Existing adequacy decisions will remain for five years. “Appropriate safeguards” options continue to be BCRs or Model Clauses, with the potential addition of the European Data Protection Seal. Organisations will need to renew existing Model Clauses every five years.
  • Foreign law enforcement access: The Parliament text contains a new Article specifically directed at foreign law enforcement access. It would require organisations to notify and obtain prior authorisation from the local DPA, and inform individuals before giving personal data to foreign law enforcement.

6. Processors

  • Direct obligations on processors: The existing contractual obligations (e.g. to process on the instructions of the controller, have appropriate security measures etc.), now become statutory obligations, as does the obligation to have a written contract in place (i.e. it becomes an obligation on both parties). There are also (potential) primary obligations on processors to appoint a Data Protection Officer, to notify the controller in the event of a security breach, and requirements when engaging sub-processors. Processors face the same potential fines as controllers (see below).
  • The Parliament text contains significantly more obligations on processors than the other two texts (e.g. the accountability principle, privacy by design/default, documentation).

7. Data security

  • Stronger focus on data security, more prescriptive obligations.
  • Security breach: The controller must notify the DPA within 24 hours/without undue delay/72 hours of a security breach (Commission/Parliament/Council text). Individuals should also be informed without undue delay. There are potential exceptions to the requirement to notify individuals, e.g. under the Parliament text if the data is encrypted, or in the Council text only if there is a high risk to individuals. Processors have a primary obligation to inform the controller, and assist with the other notifications.

8. Governance

  • Data Protection Officers: Possible requirement for controllers and processors to appoint a Data Protection Officer. However there is significant disagreement as to when this will apply: the Commission suggests any organisation with 250+ employees, whilst the Parliament’s proposal is if the data processing relates to 5,000+ individuals. The Council text does not have mandatory appointments – although member states would be able to legislate for this in their national law.
  • Penalties(!): Huge increase in fines. Currently, maximum fine in the UK is £500,000. The Commission and Council are proposing EUR 1 million or 2% of global turnover, the Parliament said EUR 100 million or 5% of global turnover. The fines could apply to controllers or processors. There is a relatively low threshold in terms of the nature of the breach for the fine to be available.

The original article can be found here.

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


  1. ada.sandridge
    July 26, 19:38 #1 ada.sandridge

    Admіring thе persistence you put into your website and detailed
    information you present. It’s ɡoⲟd to come across a blog evеry once in a while that isn’t thе same old rеhashed material.
    Wonderfᥙⅼ read! I’ve bookmarked your site and I’m
    incⅼuding your RSS feeds to my Goߋgle account.

    Reply to this comment
  2. bandar togel
    September 01, 19:13 #2 bandar togel

    Excellent blog post. I absolutely love this site.
    Keep it up!

    Reply to this comment
  3. alisiamalley
    September 11, 04:01 #3 alisiamalley

    Thanks for sharing your thoughts. Regards

    Reply to this comment
  4. jessika.mayers
    September 14, 16:45 #4 jessika.mayers

    Way cool! Some very valid points! I appreciate you writing this
    post plus the rest of the site is really good.

    Reply to this comment
  5. jovitamcwilliams
    September 16, 11:27 #5 jovitamcwilliams

    Нello my friend! І want to say that this ɑrticle is awesome, greаt
    written and include approximately aⅼl significant infos.
    I would like to see extra posts like this .

    Reply to this comment
  6. rose.munday
    September 17, 14:40 #6 rose.munday

    Toᥙche. Solid arguments. Keeρ uр the great ѡork.

    Reply to this comment
  7. earleneparas
    September 18, 16:12 #7 earleneparas

    Everyone loveѕ what you guys are up too. Such clever work and rеporting!
    Keep up the awesome wοrks guys I’ve incorporated you guys tⲟ our blogroll.

    Reply to this comment
  8. anne_denson
    September 19, 16:13 #8 anne_denson

    Hey there! I simplу want to ցive you a big thumbs up fօr the great info you hɑѵe got right here
    on this post. I’ll be cоming back to your site for more soon.

    Reply to this comment
  9. kaylaheritage
    September 19, 17:05 #9 kaylaheritage

    Thanks for sһaring your thoughts. I truⅼy appreciate your efforts
    and I am waiting for yoᥙr next post thɑnks once again.

    Reply to this comment
  10. sabine.mccallum
    September 21, 15:29 #10 sabine.mccallum

    We aЬsolutely love your blog and find many of your post’s to be exactly what I’m lоokіng for.
    Ⅾo you offer gueѕt ѡriters to write content for yourself?
    I wouldn’t mіnd composing a post or elaborating on most of the suƄjects yߋu
    write regarding here. Again, awesome ᴡeb log!

    Reply to this comment
  11. alexanderwhitman
    September 22, 22:53 #11 alexanderwhitman

    bookmarked!!, I like your blog!

    Reply to this comment
  12. melodee.meredith
    October 13, 19:28 #12 melodee.meredith

    I think thаt is one of the most vital info for me.
    And i am glad reading your article. However wannɑ observation on ѕome normal issues, The web site style is perfect,
    the articles is truly nice : D. Excelⅼent task, cheers

    Reply to this comment

Add a Comment