The EU General Data Protection Regulation (GDPR) will apply directly in all EU Member States from 25 May 2018. It will repeal and replace Directive 95/46EC and its Member State implementing legislation.

Together with the Directive on the Processing of Personal Data for the Purpose of Crime Prevention, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world in the last 20 years.

The GDPR rules apply to almost all private sector processing by organisations in the EU or by organisations outside the EU which target EU residents. The export regime will ensure their impact is felt where such organisations transfer personal data to the EU. The maximum fines for non-compliance are the higher of €20m and 4 per cent of the organisation’s worldwide turnover.

The concept of accountability is at the heart of the GDPR rules: it means that organisations need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or programme that allows them to achieve compliance.

Our GDPR checklist is designed to give an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organisations need to take to meet those requirements. It can be used to gain an understanding of where an organisation has gaps in its compliance and to articulate how its control programme meets the requirements. It should be noted that certain parts of the GDPR (such as exceptions to the data subject rights and where processing is in the substantial public interest) are supplemented by Member State local legislation and guidance from local data protection authorities and the Article 29 Working Party, which becomes the European Data Protection Board under the GDPR.

If your organisation needs assistance with analysing and implementing changes arising from the application of the GDPR please contact one of the Norton Rose Fulbright data protection team members whose details are set out at the back of the checklist.

Download the GDPR Checklist



Contacts

Marcus Evans
Marcus Evans
Head of Information Governance, Privacy and Cybersecurity, EMEA
Email
marcus.evans@nortonrosefulbright.com
T: +44 (20) 74443959
Nadège Martin
Nadège Martin
Partner
Email
nadege.martin@nortonrosefulbright.com
T: +33 (1) 56595374
Christoph Ritzer
Christoph Ritzer
Partner, Co-Head of Cybersecurity
Email
christoph.ritzer@nortonrosefulbright.com
T: +49 (69) 505096241
Floortje Nagelkerke
Floortje Nagelkerke
Partner
Email
floortje.nagelkerke@nortonrosefulbright.com
T: +31 (20) 4629426

Practice area:

Industry:

Recent publications

Pacific globe

Publication

Insurance regulation in Asia Pacific

Ten things to know about insurance regulation in 19 countries.

Global | enero 14, 2025

Insurance
Vessel at a dock loading containers

Publication

Paying the Price: Court of Appeal holds debt still due when non-fulfilment of a condition precedent is caused by the buyer’s own breach

In King Crude Carriers SA & Ors v Ridgebury November LLC & Ors [2024] EWCA Civ 719 the Court of Appeal held that the claimant sellers (the Sellers) were entitled to claim the deposits promised under sale contracts as a debt despite the defendant buyers’ (the Buyers) breach of contract, which had resulted in the non-fulfilment of a condition precedent to the payment of the deposits.

Global | diciembre 18, 2024

Shipping
Large shipping vessel with containers

Publication

Can a charterer procure the release of a laden vessel arrested by a mortgagee bank?

As previously observed, conflicts occasionally arise between mortgagees and charterers where a mortgagee wishes to take prompt action to enforce its rights, but the charterer wishes such enforcement action to be deferred until the end of the charter.

Global | diciembre 05, 2024

Shipping
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now