R&C: Could you provide a brief overview of the General Data Protection Regulation (GDPR) and its key provisions?

Jones: The GDPR will replace the existing 1995 Data Protection Directive, which has been implemented into the national laws of each Member State, with one regulation which will apply across Europe – although Member States will still have the ability to introduce their own derogations in certain areas. The GDPR broadens the scope of data covered by existing laws to include information that could directly or indirectly identify an individual, including through the use of online identifiers and IP addresses.

Del Poyo: The GDPR gives additional and extensive rights to individuals to access, delete, modify and transfer their information between providers. The main themes of the GDPR are accountability and transparency. Organisations that decide what data should be collected and how it should be used, known as controllers, are required to ensure that data is processed lawfully and fairly and only used for specific purposes; that as little data is collected and processed as possible; and that data is kept accurate, only stored for a limited time and kept secure. The GDPR will still operate alongside national data protection legislation. If we look at Spain, for example, we are not in a position to provide a clear overview on the specificities of the Spanish law implementing the GDPR. Although a draft bill has been published, it is very likely that an important number of amendments will be introduced before a final text is adopted by parliament. Other EU countries are also drafting their own national legislation.

Oct-Dec 2017 Issue

Osborne Clarke