Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > WHAT BUSINESSES NEED TO KNOW ABOUT DATA PROTECTION LAW FOLLOWING LANDMARK EU LEGISLATION

WHAT BUSINESSES NEED TO KNOW ABOUT DATA PROTECTION LAW FOLLOWING LANDMARK EU LEGISLATION

Published by Gbaf News

Posted on May 13, 2016

5 min read

Last updated: January 22, 2026

Adaptive Insights’ cloud CPM platform recognized for innovation in finance - Global Banking & Finance Review — Featured image showcasing Adaptive Insights’ cloud CPM platform, recognized for its innovative data visualization and enterprise capabilities, as highlighted in the 451 Research report.

Detlev Gabel, Tim Hickman, Audrey Oh, White & Case

After an unexpectedly long legislative process, the EU has published Regulation 2016/679 (the General Data Protection Regulation or “GDPR”). But what are the future implications of this new legislation?

Timeline

On 4 May 2016, after more than four years of drafts, discussions and negotiations, the GDPR was published in the Official Journal of the EU by the Secretaries-General of the European Parliament and of the Council of the EU. It will come into force after a further twenty days, followed by an effective two-year grace period, meaning that enforcement of the GDPR will not begin until 25 May 2018.

During this period, the existing collection of national data protection laws, based on EU Directive 95/46/EC, will continue to apply. However, organisations will need to use the two-year window wisely. It is important for organisations to allocate sufficient time and resources to ensure that they are compliant with the GDPR by May 2018. Failure to meet this deadline may result in enforcement action under the GDPR, including possible fines up to the greater of €20 million, or 4% of annual global turnover. France is already in the process of introducing legislation to implement fines at these levels immediately, rather than waiting for the GDPR to become enforceable. It is not yet clear whether other Member States will follow suit.

What are the key concerns for businesses?

The GDPR makes wide-ranging changes to existing EU data protection law. In particular, businesses should bear in mind the following points:

Territorial application – The GDPR applies to non-EU businesses if they: (i) target their goods or services at EU residents (e.g., using local domain names, in the local language, offering local delivery and accepting payment in local currency); or (ii) monitor the behaviour of EU residents. Many businesses that are not subject to existing EU data protection law will be subject to the GDPR, especially businesses operating in the EU in an online context.
Remedies and sanctions – As noted above, the consequences of breaching EU data protection law escalate dramatically under the GDPR, which sets the maximum fine for a single breach at the greater of €20 million, or 4% of annual global turnover.
Consent – Under the GDPR, consent becomes harder for businesses to obtain and rely on. Notably, the GDPR states that consent is not valid where there is a ‘clear imbalance’ between the controller and the data subject.
Increased compliance obligations for controllers – The GDPR imposes increased compliance obligations on businesses that act as controllers (e.g., implementing appropriate policies, keeping records of processing activities, appointing a Data Protection Officer in some cases, implementing privacy by design and by default, etc.). For many businesses, this is likely to require a significant overhaul of their data processing activities.
Direct compliance obligations for processors – Existing EU data protection law generally does not impose direct legal compliance obligations on processors. However, under the GDPR, processors have direct legal compliance obligations, and Data Protection Authorities can take enforcement action directly against processors. For businesses that commonly act as processors (e.g., outsourced service providers to financial institutions) this is a significant change, and may result in attempts to re-negotiate existing processing agreements.
72-hour data breach notification – The GDPR requires businesses to report data breaches to the relevant Data Protection Authority within 72 hours of detection. For most businesses, radical changes to internal reporting structures will be needed in order to be able to meet this deadline.

Wider context

The publication of the GDPR in the Official Journal marks the end of a long journey. The first draft of the GDPR, setting out a comprehensive reform package of the EU’s data protection rules, was published by the European Commission in January 2012. It has since been through numerous rounds of revisions, committees and votes, which have taken significantly longer than many commentators originally anticipated.

In parallel to the GDPR, the EU has also adopted a new Police and Criminal Justice Directive which governs the processing of personal data for the purposes of prevention, detection, investigation or prosecution of criminal offences, and related judicial activities. The UK has effectively opted out of this Directive, meaning that the processing of personal data for policing and criminal justice purposes in the UK may be governed by a different set of rules from the rest of the EU. The practical impact of the UK’s decision on this issue remains to be seen.

Next steps

Once the GDPR comes into force, two further key developments are expected. First, EU Data Protection Authorities will, individually and collectively, begin to issue guidance on the application and interpretation of the GDPR, with the aim of helping organisations to achieve compliance with the requirements of the GDPR. This guidance is expected to offer additional clarification of certain issues in the GDPR that are not totally clear from the current text (e.g., several of the new data transfer mechanisms set out in the GDPR require significant further explanation before they can be used in practice).

Second, the European Commission has launched a Public Consultation with the aim of reviewing Directive 2002/58/EC (the “ePrivacy Directive”). The potential for overlap between the GDPR and the ePrivacy Directive has been the subject of much discussion in recent months. For example, that overlap could result in controllers that suffer a data breach being obliged to report that same breach twice – once under the GDPR and once under the ePrivacy Directive. It is hoped that the Commission’s efforts will resolve these issues before enforcement of the GDPR begins.