Image by: Pe3check, ©2018 Getty Images

In May of 2018, a transformative new requirement, the General Data Protection Regulation (GDPR), goes into effect. The GDPR is a regulation issued by the European Commission, the European Parliament, and the Council of Ministers of the European Union (EU) with the purpose of strengthening and unifying data protection for people residing in the EU. Of particular note, the protection offered by the GDPR is not limited to EU citizens or residents but applies to anyone inside the EU, which includes individuals traveling in those countries.

This legislation supersedes the Data Protection Directive (Directive 95/46/EC), which was adopted on October 24, 1995. The GDPR has two common high-level objectives:
  • Harmonize the fragmented legacy legislation among EU member states
  • Address public perceptions that doing business on the Internet is inherently risky
Many concerns arise from the wide publicity given to successful cybercrime attacks, resulting in personal data theft. The explosive use of mobile devices, adoption of big data analytics, and increased volumes of personal data being digitally generated, processed, and shared create opportunities for EU citizen data to be exposed. The GDPR aims to make the online environment more trustworthy and harmonized, thereby, supporting the EU’s Digital Single Market.

There are a few common questions that organizations worldwide are asking about the GDPR.

What Is the Material Scope of the GDPR?

The GDPR applies to the processing of personal data either electronically or as part of a paper filing system.

Which Organizations Does the GDPR Affect?

The GDPR expands the scope of the current EU data protection law, which affects only data controllers established in the EU. The GDPR has extraterritorial effect and, thus, applies even to data controllers and processors who are not established in the EU but who offer goods or services to data subjects or monitor data subject behavior (sometimes referred to as profiling) within the EU.

What Is the Difference Between a Regulation and a Directive?

A regulation is a binding legislative act. It must be applied in its entirety across the EU. A directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation—in contrast to previous similar legislation classified as a directive (e.g., the Data Protection Directive).

How Does the GDPR Define “Personal Data?”

Personal data is any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

What Is Considered “Special” Personal Data?

The GDPR refers to sensitive personal data as “special categories of personal data.” This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or a natural person’s sex life or sexual orientation.

These categories are generally the same as those in the Data Protection Directive. Under Article 8(1) of the Directive, "sensitive personal data" is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health or sex life.

Under the GDPR, the definition of sensitive data now also includes “genetic data” and “biometric data,” so long as those data elements are processed in an identifiable manner. These categories of personal data are considered sensitive because they are particularly open to abuse.

Data controllers must be able to demonstrate that they have a legal basis for the processing of special personal data. The GDPR introduces a new requirement to perform a data protection impact assessment when a type of processing is likely to result in a high risk to the rights and/or freedoms of data subjects.

Specifically, a data protection impact assessment must be performed in the case of “processing on a large scale of special categories of data.” This means that under the GDPR, simply having a legal basis (such as the consent of the data subject) is no longer wholly sufficient to process special personal data in cases where the risk to an individual is assessed as high, unless the assigned data protection authority explicitly sanctions the processing.

What Now?

Many executives remain unaware of the full impact of the GDPR, and those who are aware of it do not feel they are ready to fully comply with its specifications. Because the penalty stakes are becoming more material, some of the requirements have major implications on how organizations store and process personal information. Many of these organizations must make significant changes to business processes and underlying technology in order to support the rights of EU data subjects.

Katie Stevens is an Associate Director in Protiviti’s Security and Privacy practice. She’s based in the firm’s Chicago office. For more information, visit