Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

The EU General Data Protection Regulation Is Now Finalised. Here’s What You Need to Know.

Published by Gbaf News

Posted on February 2, 2016

5 min read

Last updated: January 22, 2026

Add as preferred source on Google

Illustration of GDPR compliance requirements for businesses - Global Banking & Finance Review — This image highlights the key aspects of the EU General Data Protection Regulation (GDPR) that businesses must understand to ensure compliance. It reflects the importance of data protection and privacy in the finance sector, emphasizing the need for companies to appoint Data Protection Officers and adhere to strict guidelines to avoid hefty fines.

You are back in the office after the long holiday break and busy catching up. Did you miss the story about the EU’s General Data Protection Regulation (GDPR) receiving final approval? Some are calling it a “milestone of the digital age”.

Andy Green

Andy Green

We’ve been following the GDPR on the Varonis blog over the last two years. If you want to catch up very quickly, read our omnibus post that’s a tasty distillation of our wisdom on this subject.

Or if you have some more time, check out our comprehensive GDPR white paper.

With the final draft, a few ambiguities and loose ends were ironed out from the different versions provided by the EU Parliament and the Council.

I’ve put together a few key points that should resonate with Inside Out readers. Keep in mind the GDPR will take effect in 2018, and until then the old Data Protection Directive (DPD) remains the law.

Fines

We have closure on the question of fines: the GDPR has a tiered fine structure.

For example, a company can be fined up to 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach (articles 31, 32), or not conducting impact assessments (article 33).

More serious infringements merit a 4% fine. This includes violation of basic principles related to data security (article 5) and conditions for consumer consent (article 7)– these are essentially violations of the core Privacy by Design concepts of the law.

The EU GDPR rules apply to both controllers and processors that is “the cloud”. So huge that cloud providers are not off the hook when it comes to GDPR enforcement.

Data Protection Officer

It’s official: you’ll likely need a Data Protection Officer or DPO. You can read the fine print in article 35.

If the core activities of your company involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of “special categories” of data—racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation– then you’re required to have a DPO.

In the US, the closest job title to this is a Chief Privacy Officer.

In any case, the job function of the DPO includes advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority or DPA.

Data Breach Notification

24 or 72 hours?

And the winner is … 72.

Article 31 tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data – the EU’s term for PII—is considered a breach.

Note my emphasis on unauthorised.

Based on my understanding of the GDPR, this means that if an employee sees data that’s not part of their job description, it could be considered a breach.

Of course, this is not a problem for your company, because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls.

You can read more about what you have to provide to the data authority in our “What is the EU GDPR” post.

Bottom line: The GDRP notification is more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insider were doing.

Data processors have a little more wiggle room: they’re supposed to notify the company they’re doing the work for—the controller– “without undue delay”.

Under what conditions does a company have to tell the subject about the breach?

You can read the details in article 32, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.

For Countries Outside the EU

We’ve been raising the al arms on extra-territoriality for several months now.

With the GDPR finalised, we can say with certainty the law applies to your company even if it merely markets goods or services in the EU zone.

In other words, if you don’t have a formal presence in the EU zone but collect and store the personal data of EU citizens, the long arm of the GDPR can reach out to you.

As many have been pointed out, the extra-territoriality requirement (article 3) is especially relevant to ecommerce companies.

Social media forums, online apartment sharing, artisanal craft sites, or beers of the world clubs: you’ve been warned!

Other Resources

All the permutations of the GDPR and how it can applies is just too complex to cover in a few blog posts. Of course, your Data Privacy Officer is the go-to person for advice, along with outside legal experts.