"The digital future of Europe," Andrus Ansip, Vice President for the Digital Single Market noted in December 2015, "can only be built on trust." His comments crowned four years of intense negotiation, the result of which is the General Data Protection Regulation (GDPR), expected to be formally adopted by the European Parliament and Council in the next few months and to come into effect two years thereafter.

There are multiple reasons for replacing the 1995 Data Protection Directive, including the need to keep pace with new technologies and reduce the burden on companies operating across several European jurisdictions. Previously companies had to deal with as many Data Protection Agencies as member states they operated in, but under the GDPR will only deal with the Supervisory Authority within the jurisdiction where they have their main establishment. Clearly replacing 28 different data protection laws with one harmonised regulation is a practical measure (the reduction of red tape is expected to save companies €2.3 billion in annual expenditure), but the issue of trust is an equally important factor and companies should strive to keep it in focus when preparing for the new regulation.

The last decade has been notable for high profile whistleblowing and data leakages that have called into question the protective structures around personal data. The impact of Edward Snowden's revelations can be seen in the Court of Justice of the European Union's recent decision in the Schrems case whereby the EU-US Safe Harbour regime was deemed invalid, leading to the negotiation of a new and hopefully improved framework for data transfers from the EU to the US (Privacy Shield).

The recognised vulnerability of personal data found expression in a recent Eurobarometer survey which found that two thirds of Europeans are concerned about the lack of control they have over the information they provide online. The GDPR is seeking to resolve the issue by giving EU citizens much greater control over their personal data. At the same time, companies that process or control data within the EU will have far higher obligations towards their customers. Failure to observe these obligations will lead to extremely heavy sanctions, with companies liable for up to €20 million or 4% of annual turnover from the previous year depending on the severity of the matter, whether a breach was caused by negligence or intent, whether mitigating actions were taken, etc.

Company obligations under the GDPR comprise roughly 200 pages of text, but the following are some of the main provisions:

  • The issue of consent: companies must gain explicit consent from customers before processing customers' personal data
  • Information: companies must clearly inform customers of the legal basis that allows them to process customer data, as well as of the complaint channel open to customers who are unhappy with the company's handling of their data. In cases of a data breach, and where the customer's data is clearly threatened, the company must notify the customer within a reasonable timeframe
  • Responsiveness: companies will be obligated to respond to customers' requests concerning access to their data. A customer can also change their mind after consent; so if they willingly provided personal data to the company but then requested that the company delete it, the company must do so (as long as the data is not necessary for contracted purposes). The right to demand deletion of data that is not necessary to the company (i.e. the right to be forgotten or the right to erasure) is enshrined within the GDPR
  • Data Protection Officer: larger companies which process and control data must appoint a dedicated data protection officer, and ensure that such a role is adequately resourced and able to act independently. As a general rule SMEs will not have to appoint such a figure, though that does not apply to businesses where the control and processing of data is a core function
  • Privacy by Default and Design: companies must incorporate a Privacy by Default and Design policy, meaning that at every stage of their business, from development onwards, they must be conscious of their customers' entitlement to privacy and build in all necessary mechanisms for safeguarding customers' data
  • Pseudonymisation: where possible companies should disguise an individual's personal data when it is being processed so that, if a breach occurs, the data cannot be used to identify that individual without recourse to additional information.

Inevitably some companies will feel that these new regulations strip away old hindrances only to present new ones, and certain public figures have already expressed their concern. MeMe Rasmussen, Chief Privacy Officer for Adobe has said that the GDPR "was written by people who don't run businesses," while other figures such as Sheryl Sandberg and even President Obama have signalled their wariness. On the other side, some feel that the regulations don't go far enough − Germany's Data Protection Authorities, for instance, highlighted their concerns that the GDPR would weaken Germany's existing regulations, and noted that they would have liked to see provisions such as the mandatory appointment of a Data Protection Officer applied more widely.

The two-year period prior to the commencement of the GDPR will give companies space to fully consider their data protection activities in light of the incoming Regulation and to put in place necessary measures and safeguards in accordance with their obligations, in particular the Privacy by Default and Design principles. The penalties for non-compliance are severe and well-advertised, but perhaps it is more important to reflect on the benefit for companies that actively engage with the new measures and seek to cultivate something more than mere observance. Such a benefit will be the trust of their customers. In an age where the misuse of personal data has led to a high and pervasive level of cynicism, perhaps it is trust that will emerge as the most valuable economic asset.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.