The EU General Data Protection Regulation - three key features your organisation needs to know

The EU General Data Protection Regulation – three key features your organisation needs to know


By Ardi Kolah BA(Hons), LL.M, FCIM, FRSA
Programme Co-Director, Data Protection Officer (DPO) Programme, Henley Business School 

It’s been four years since the European Commission proposed a radical overhaul of Europe’s out-of-date data protection laws, but the EU General Data Protection Regulation (GDPR) has now come into force.

The GDPR creates the legal framework for the operation of the Digital Single Market, as well as helping to create a level playing field by sweeping away 28 different data protection and privacy laws across individual EU member states and replacing them with this one EU regulation.

At 260 pages in length, with 99 Articles and over 100 pages of explanatory notes known as ‘Annexes’, the GDPR is roughly three times the length of the Data Protection Act 1998 it is replacing.

And irrespective of Brexit, all UK financial services organisation doing business in the EU will need to comply with the GDPR.

There are many features of the GDPR, but these are three big ones: 

 Removal of the requirement of the data controller to notify or seek approval of personal data processing from the Data Protection Authority (DPA). Although this cuts ‘red tape’, the GDPR actually places a higher duty on organisations to put in place effective procedures and mechanisms focusing more on high-risk operations (e.g. involving new technologies) and carry out a data protection impact assessment (DPIA) across the whole organisation rather than on a project basis.

 Data processors (such as cloud service providers) now have direct obligations and this includes implementing technical and organisational measures, as well as notifying the data controller without undue delay when there’s a personal data breach, which now must be reported to the supervisory authority within 72 hours.

  In certain circumstances, both data controllers and data processors must designate a data protection officer (DPO). This is the new breed of senior manager who is independent and, although the DPO reports to the highest level of management authority, in reality, they are a mini-regulator sitting in the company. Any financial services organisation that’s regularly and systematically monitoring and processing personal data of its customers/clients will need to appoint a DPO or hire a freelance DPO to do the job.

If you’d like to learn more about the Data Protection Officer Programme and how this can help ensure that your DPO is up to date in this rapidly evolving area, contact us on +44 (0)1491 418 767 or email 

Related links