General Data Protection Regulation

 “17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds.
The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.
My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses.
A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Announcement of European data protection reforms
Viviane Reding, EU Justice Commissioner and Vice-President of the Commission, 25 January 2012


Playback of this video is not currently available


Key points

One of the new ambitions that the GDPR promotes is to give natural persons residing in the EU, the "data subjects", an increased level of control over their information. It also aims to improve the environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change. The GDPR provides for enhanced supervision by increasing the powers of the regulator as champion of the data.

Initial requirements to comply with that a business should look at are:

Data protection by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that data processing safeguards by design the rights of the data subject. There are a few key steps to follow if a business does not want to embark on a full review and overhaul: minimise data collected; do not retain data beyond its original purpose; and, give the data subjects access and ownership of that data.

Right to be forgotten

This is the right for consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.

Be aware of breach penalties

For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.

Potential for brand damage

If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.

Data Protection Officer

Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.

In order to be ready for the GDPR, entities will need to set their vision, agree their strategy and constitute their structures for achieving data protection and privacy operational change and compliance. These are not simply legal questions: getting ready for the GDPR requires multi-disciplinary skill sets. The PwC Luxembourg  team has all of those skill sets to provide an end-to-end solution to the challenges ahead.

Our Services

Assessing compliance

Services that can help you understand where you are positioned with respect to GDPR requirements.

PwC can help with understanding where your data assets are, and what are the controls in place to protect those assets.

We can help you conduct data protection assessments, gap analyses, and overall evaluations of  the data protection maturity within the organisation.

View more

Improving compliance

Services that can help you build on your existing structures and controls to improve your personal data protection approach and controls.

PwC can help you with the following challenges:

  • Educate and train your staff related to GDPR;
  • Define privacy controls and privacy policies;
  • Define processes to react to data breaches;
  • Implement accountability mechanisms;
  • Mitigate data breaches;
  • Use data protection tools in line with privacy policies.

View more

Enhancing Data Governance

Services that can help you build and customise your own governance approach to data protection.

PwC can help you design your own program to improve data protection maturity within the organisation. Specific points in this design include:

  • Defining specific privacy and accountability policies;
  • Using robust and sound metrics to compare yourself against competitors;
  • Selecting and training specific data protection roles within your organisation;
  • Aligning privacy strategies to business strategies in order to bridge the compliance gap and protect personal data.

View more

How can we help?

Our data protection team includes consultants, auditors, risk specialists, forensics experts and strategists.

As a multi-disciplinary practice, we are uniquely placed to help you adjust to the new environment.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Frédéric Vonner

Partner, GDPR and Privacy Leader, PwC Luxembourg

Tel: +352 49 48 48 4173

Cédric Nédélec

Data Protection Officer, PwC Luxembourg

Tel: +352 49 48 48 2186

Follow us