General Data Protection Regulation

On 25th May 2018, the General Data Protection Regulation (GDPR) came into force, revolutionising the way that personal data are used and handled. Controllers and processors of personal data need to adhere to the new regulation in order to be compliant. PwC can help.

What does GDPR mean for my organisation?

If you are an organisation processing personal data in Europe; or you are targeting Europe for goods and services; or you are monitoring the activities of European citizens online, you will now need to comply with GDPR.

The GDPR is the largest development to data protection legislation since the European Data Protection Directive in 1995. It will require wide-scale privacy changes in all regulated organisations, and regulators will gain unprecedented powers to impose fines. Nevertheless, the GDPR also represents an opportunity to:

  • transform your approach to privacy,
  • harness the value of your data, and
  • ensure your organisation is fit for the digital economy.

It is essential that organisations are able to demonstrate to regulators that they have robust plans in place to comply.

General Data Protection Regulation - our view on the key components in the GDPR


Playback of this video is not currently available

Stewart Room, Joint Global Head of Data Protection and Global Legal Services leader, PwC UK, discusses the General Data Protection Regulation (GDPR) and its impacts for both entities and citizens | Duration 1:48

GDPR at a glance

It puts individuals back in control of their personal data

Consumers, customers, workers and users of public and charitable services have more power to control how their data is used. Controllers and processors of personal data could be required to report on, move or dispose of personal data if requested and they must have the capabilities to do this whenever the laws apply. The options for using personal data is restricted.

How you use data will be more transparent

The idea of transparency is now considerably strengthened under the GDPR. Article 5 of the GDPR sets out a number of principles with which data controllers must comply when processing data. They must process the data “lawfully, fairly and in a transparent manner in relation to the data subject”. Organisations will be required to articulate all of the ways personal data is used, and make it clear to individuals what their data is being used for and with whom they have shared it.

Organisations will be subject to higher standards of accountability

Organisations will be required to implement measures to prove their compliance. Such measures include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure the security of personal data. Additionally, organisations will also have to ensure that data they pass to third parties is handled in a manner compliant with the GDPR. As well as this, some may have to appoint a Data Protection Officer (DPO) and undertake privacy impact assessments.

Fines are getting bigger, and the timelines are getting shorter

The GDPR introduces a tougher enforcement regime and it exposes entities to increased financial liability. Fines for non-compliance can be as severe as 4% of annual turnover or 20m EUR – whichever is higher.

Data subjects’ rights have been strengthened and expanded upon

The data subjects’ rights aim to allow individuals to have control over their personal data and people will also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance. The regulation retains the existing rights of data subjects and creates new rights for individuals such as the “right to be forgotten” and the “right to data portability”. These rights are complex and it is unclear how these rights will operate in practice. As data subjects’ rights strengthen, it is important that organisations are aware of what each right means for them and their business.

How we can help


MyDPO is our flexible service for statutory Data Protection Officers (under Articles 37-39 of the GDPR), for Chief Privacy Officers, and for other in-house privacy teams.

We can help you to understand whether or not you are required to appoint a DPO and the best approach to ensuring that your organisation delivers on its legal requirements under the GDPR. Where you are not required to appoint a DPO, we can help you to understand the options for ensuring effective data protection compliance in your organisation.

View more

Second Opinion Service (S.O.S)

Organisations that are pursuing a business transformation programme for the GDPR or any other data protection legal framework sometimes require a second opinion on the focus, priorities and design of that programme.

Whether you have highlighted potential failings, or just want peace of mind, our second opinion service provides an independent, impartial and informed assessment of any aspect of your data protection programme or framework against any benchmark or metric that you may choose, including the current priorities of the regulators, privacy advocates and the courts.


View more

Complaints handling

Failure to recognise that complaints have been made, or failing to handle them properly, is often the root cause of very serious legal problems, such as regulatory investigations, enforcement actions, litigation and compensation claims.

Our complaints handling service provides an end-to-end solution for the challenges that this area involves; from understanding the reasons why complaints are received, defining your strategy for complaints handling and response, through to training your staff to recognise and respond to complaints effectively.

View more

Data Subject Rights handling

People are empowered by a variety of data subjects rights. These rights are designed to help put people back in control of their personal data. In exercising these rights, people have a direct channel into the heart of your business and the data processing activities that you are undertaking. If a rights request is mishandled this gives people the right to take court action, including to sue for compensation, and the right to take complaints to the data protection regulators. As well as triggering very difficult legal problems, rights mishandling can damage trust, brand and reputation.

Our Data Subject Rights handling service provides end-to-end support for all rights handling.

View more

Personal Data Breach handling

Under the compulsory Breach Notification requirements introduced by the GDPR, organisations have a statutory duty to report certain types of security breaches to the regulators and to people affected. The rules for notification are complex and can be very difficult to operationalise in practice.

Failure to understand and properly implement these requirements can increase the risks of non-compliance and potential over-notification, attracting unnecessary and unwanted attention from adverse scrutineers.

Our Personal Data Breach Handling provides support for all aspects of breach handling


View more

Disputes and Litigation

Data protection disputes may arise following a complaint to the organisation or the regulators; after a rights request; as a result of a personal data breach or due to a failure to deliver on business-to-business contractual requirements. In serious cases, these disputes can escalate into regulatory enforcement actions, litigation and compensation claims, with longer term impacts for trust, brand and reputation. 

Our disputes and litigation service can help you to manage all aspects of dispute resolution, including providing advice on your legal standing and representation in mediation and arbitration proceedings, regulatory investigations and enforcement actions and in courts and tribunals proceedings.

View more

Other Data Protection and e-Privacy services

Our multi-disciplinary data protection team includes practising lawyers, management consultants, auditors, risk professionals and forensic investigators, who work together under our Privacy Transformation methodology.  Privacy Transformation provides full end-to-end support with all aspects of data protection and e-privacy, including:

  • legal advice and compliance requirements;
  • data protection framework and target operating model design and development;
  • data protection and e-privacy programme design, set-up and management;
  • risk and compliance assessments and gap analysis;
  • policy, processes and controls development and testing;
  • training and awareness;
  • ongoing performance monitoring and assurance; and
  • support with all day to day data protection and e-privacy matters.

View more


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
Stewart Room

Stewart Room

Partner, PwC United Kingdom

Tel: +44 (0)7711 588 978