New data protection laws are coming in May 2018

In 2016, the European Parliament adopted the GDPR – General Data Protection Regulation – which is the most important change in data privacy regulation in 20 years. The new regulation will be applied to all EU members states on the 25th of May 2018.

The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. This is to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Who does it concern?

The new GDPR regulation will be applied to all companies – from SME’s to Fortune 500 – that collect and handle clients’ data’s.

What is the principle?

The major issue concerns the concept of consent to the collection and conservation of data, a concept which is one of the specific features in European law. Personal data belongs to citizens; as of May 2018, businesses including US giants such as Facebook, Google, Apple, Amazon… will no longer be able to argue a presumption of consent to justify the use of their customers and users.

Concretely, what does it change?

As of May 2018, all companies will need to provide accurate information about how they handle and retain personal data. That information should also be formulated in a clear and precise manner in the interests of transparency.

How does it impact business?

GDPR imposes a few obligations on companies:

  • protect personal data against any accidental or voluntary loss, theft or misuse
  • build and maintain a « record of processes », describing one or several reasons for the processing, the personal data used, the rules followed regarding data retention, the possible transfers of data, the organizational and technical measures of protection, …
  • data processors: GDPR imposes specific obligations on data processors, including an obligation to implement appropriate security standards, ensure adequate record-keeping and inform the data controller of any breach. Data processors will now be exposed to regulatory fines or private claims from individuals in the event of a breach.

What should you do in case of an incident related to personal data?

Any incident that may have compromised the integrity of customers’ data must be declared officially to the CNPD in Luxembourg and CPVP in Belgium within 72 hours.


The legislator has provided several sanctions for non-compliance, ranging from a simple warning to a fine of up to € 20 million or 4% of the company’s global turnover in the event of infringement of the rules.


It is time to start planning for GDPR compliance: May 2018 is only a few months away.

The practical part is prioritizing the resources, prioritize support, prioritize what capabilities you need at what level of maturity, in order to arrive in a state that you feel comfortable with by May 2018.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s