protection (Article 52). DPAs have many powers including investigatory powers such as access to equipment and premises and corrective powers such as binding orders and bans on processing, administrative fines, and suspension of cross-border transfers (Article 53). Due to these tasks and powers—especially the high fines—the landscape of data protection enforcement is expected to change considerably. 9. Conclusion The GDPR adds provisions that reflect the digital economy and signify a shift for companies towards a more uniform, yet still rather intricate, legal framework.

Although it may take some time before the full implications of the GDPR are understood, companies that want to have a head start should pay particular attention to the topics outlined above. The GDPR applicability regime will further extend data protection requirements to non-EU companies. Stricter limitations on profiling and Big Data may complicate development of, and innovation in, certain business areas.

Mandatory data breach notifications to DPAs and individuals will require companies to be ready to act within 72 hours. And all of these new obligations come with unprecedented fines of up to EUR 20 million or 4% of annual worldwide turnover. Other new obligations such as accountability, recordkeeping, and PIAs may require further implementing regulations and DPA guidance before they are actionable. [1] Article numbers refer to the text agreed upon by the EU Council and the EU Parliament in December 2015 and are likely to change when the GDPR is formally adopted. © 2016 Morrison & Foerster LLP | mofo.com .