The European Union’s General Data Protection Regulation (“GDPR”) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. This new regulation will apply in all EU member states as of May 25, 2018. GDPR updates the 1995 Data Protection Directive by introducing tougher fines for noncompliance and breaches and by putting control of personal data back into the hands of the individual. It also means that organizations cannot simply gather data without good reason and must prove that they are doing all they can do to protect the data they hold.

Previously, under the directive, each EU member state was free to adopt laws in accordance with the principles laid out in the directive. This meant there were differences in the way each member country implemented and enforced the directive. Because the GDPR is a regulation and not a directive, it uniformly applies in all EU member states.