General Data Protection Regulation

 “17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds.
The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.
My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses.
A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Announcement of European data protection reforms
Viviane Reding, EU Justice Commissioner and Vice-President of the Commission, 25 January 2012


Playback of this video is not currently available


Key points

One of the new ambitions that the GDPR promotes is to give natural persons residing in the EU, the "data subjects", an increased level of control over their information. It also aims to improve the environment by ensuring that data controllers and processors are safe custodians of data through promoting behavioural change. The GDPR provides for enhanced supervision by increasing the powers of the regulator as champion of the data.

Initial requirements to comply with that a business should look at are:

Data protection by design

Controllers must implement appropriate technical and organisational measures and procedures to ensure that data processing safeguards by design the rights of the data subject. There are a few key steps to follow if a business does not want to embark on a full review and overhaul: minimise data collected; do not retain data beyond its original purpose; and, give the data subjects access and ownership of that data.

Right to be forgotten

This is the right for consumers to erase their data. This is more far-reaching than a business might consider at first blush. A consumer or data subject can request to erase the data held by companies at any time and, if it has been passed on to any third parties (or third party websites), they would have to erase it as well.

Be aware of breach penalties

For serious penalties, the GDPR allows for fines of up to €20 million or 4% of total worldwide annual turnover (whichever is higher), which would be a serious chunk of revenue of even the largest multinational.

Potential for brand damage

If a personal data breach is likely to cause a high risk to the rights and freedoms of the data subjects, personal data breaches must be notified to the relevant data subjects without undue delay, unless the controller can demonstrate that encryption or other technology rendered the data unintelligible to third parties. So whether the data for 10 customers or 1,000,000 customers is lost, they would all have to be told. The potential for significant brand damage, litigation and media reporting of an incident is clear and could spell the end of a business overnight.

Data Protection Officer

Important projects need owners. Under the GDPR, a data protection officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches and even creating a good data security policy. Businesses will need someone to act as the focal point in ensuring compliance with the GDPR and businesses will need to appoint DPOs sooner rather than later.

In order to be ready for the GDPR, entities will need to set their vision, agree their strategy and constitute their structures for achieving data protection and privacy operational change and compliance. These are not simply legal questions: getting ready for the GDPR requires multi-disciplinary skill sets. The PwC Luxembourg  team has all of those skill sets to provide an end-to-end solution to the challenges ahead.

Our Services

Assessing compliance

Services that can help you understand where you are positioned with respect to GDPR requirements.

PwC can help with understanding where your data assets are, and what are the controls in place to protect those assets.

We can help you conduct data protection assessments, gap analyses, and overall evaluations of  the data protection maturity within the organisation.

View more

Improving compliance

Services that can help you build on your existing structures and controls to improve your personal data protection approach and controls.

PwC can help you with the following challenges:

  • Educate and train your staff related to GDPR;
  • Define privacy controls and privacy policies;
  • Define processes to react to data breaches;
  • Implement accountability mechanisms;
  • Mitigate data breaches;
  • Use data protection tools in line with privacy policies.

View more

Enhancing Data Governance

Services that can help you build and customise your own governance approach to data protection.

PwC can help you design your own program to improve data protection maturity within the organisation. Specific points in this design include:

  • Defining specific privacy and accountability policies;
  • Using robust and sound metrics to compare yourself against competitors;
  • Selecting and training specific data protection roles within your organisation;
  • Aligning privacy strategies to business strategies in order to bridge the compliance gap and protect personal data.

View more

How can we help?

Our data protection team includes consultants, auditors, risk specialists, forensics experts and strategists.

As a multi-disciplinary practice, we are uniquely placed to help you adjust to the new environment.



Third Party Security Assessment

Every company rely on third parties to offer their services and products or to run specific business activities. Third parties usually have access to your company’s information systems and sensitive data and can be an entry point for hackers to attack your information system. If your third parties do not meet regulatory and security requirements, your data might be exposed to cyber threats.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


Flash News - Luxembourg - Personal Data Protection - The GDPR implementing Law is published.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, "GDPR"), repealing Directive 95/46/EC, has imposed many changes in the regulatory landscape applicable to data protection.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Trois questions à Cédric Nédélec

Le DPO de PwC, Cédric Nédélec, a suivi les débats sur ce nouveau métier pendant dix ans. Il revient sur les limites du dispositif européen, de son côté facultatif aux formulations assez vagues pour ne pas susciter d'opposition et lancer un mouvement de fond des professionnels qui touchent à des données personnelles.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Directive européenne sur la protection des données : quo vadis ?

Officiellement adoptée au printemps dernier, la réforme du régime de protection des données (GDPR pour General Data Protection Regulation) entrera en vigueur en mai 2018. Cette refonte de la réglementation européenne en matière de données personnelles sera applicable à toutes les entreprises fournissant des biens et services et détenant des informations personnelles de citoyens européens.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

«Renforcer les obligations faites aux entreprises»

L’entrée en vigueur du nouveau règlement européen sur les données personnelles (GDPR) marque un tournant réglementaire majeur; il s’appliquera dès 2018 à toute entreprise qui collecte, traite et stocke des données personnelles dont l’utilisation peut directement ou indirectement identifier une personne.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

General Data Protection Regulation: a legal, IT or business issue?

The so-called "GDPR" reshuffles the existing regulatory framework to impose tougher data protection rules across the European Union and beyond. Every EU-based organisation acting as "controller" or "processor" of personal data is concerned, as is every organisation based outside of the EU and acting as a controller of personal data of EU residents.

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Contact us

Frédéric Vonner
Partner, GDPR Leader, PwC Luxembourg
Tel: +352 49 48 48 4173

Vincent Villers
Partner, PwC Luxembourg
Tel: +352 49 48 48 2367

Cédric Nédélec
Data Protection Officer, PwC Luxembourg
Tel: +352 49 48 48 2186

Follow us