General Data Protection Regulation

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It has extraterritorial effect in certain circumstances and will affect Asian business practice from 25 May 2018. Key aspects include the following:


  • Infringement fines of up to 4% of a company's global turnover or EU 20 million whichever is higher
  • Right of erasure / right to be forgotten
  • Privacy by design
  • Legal basis for processing data
  • Single set of rules for all EU states
  • Increase in Corporate Use of Data Protection Officers
  • Data portability rights
  • Data protection / privacy by design and by default
  • Records of processing activities

  • Regarding the fines themselves, there are two tiers:

    • Up to € 10 million or 2% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the:
      • Implementation of a privacy by design and a security by design approach as well as the performance of a data protection risk assessment in case of new technologies such as those of the Internet of Things;
      • Recording of data processing activities,
      • Data processor’s main obligations,
      • Notification in case of data breaches and
      • Appointment of a data protection officer (when necessary);
    1. Up to € 20 million or 4% of the total worldwide turnover of the previous year in case of breach of obligations relating, among others, to the:
      1. Basic principles for data processing, including the conditions for privacy consent,
      2. Individuals’ rights such as the right of access, the right to be forgotten and the portability right and
      3. Transfer of personal data outside of the European Economic Area, which will be crucial in the view of the Privacy Shield now agreed as to the transfer of data to the United States.

    In terms of relevance to Hong Kong, on May 17 2017 the Privacy Commissioner Stephen Kai-yi Wong said at a conference in Berlin: “The European Union (“EU”) is Hong Kong’s second largest trade partner and the EU Directive 1995 was one of the key models on which the Ordinance was based when it was enacted 21 years ago. The new GDPR’s extra-territorial effect also seems to suggest that Hong Kong businesses which collect, store and process the personal data of EU’s citizens should be obliged to comply with GDPR’s requirements.”


    Our services

  • Gap analysis - detailed examination of your business to assess major areas of non-compliance. Understand that despite the coming into force of the GDPR, many pre-existing data privacy requirements may not be met at present by your organisation.
  • Data process mapping - understanding how personal data flows through your organisation.
  • Impact assessment - looking at the risks within your new system.
  • Data Protection Officer (DPO) - we are acting as externally appointed data protection officers for corporations. In such a role, we are independent and able to advise the corporation in an impartial manner.

  • Checklists

  • Detailed checklists are available for your business to assess degree of current compliance with the legislation. Contact us for further details.

  • Resources

    European General Data Protection Regulation Overview

    European General Data Protection Regulation Wiki



    Date Created: 1 June 2017   |   Date Modified: 1 February 2018   |  Author: Dmitri M A Hubbard