The EU GDPR (General Data Protection Regulation) is a European Union (EU) regulation that affects any organisation that collects or maintains personal data about individuals in Europe. Being a regulation means that it will be directly binding as a law within all EU member states.

GDPR is different from the previous EU data protection legislation (in the form of Directive 95/46/EC) in that it includes broad territorial scope and direct applicability. Indeed, GDPR applies to the processing of personal data of data subjects (natural persons) in the EU regardless of whether the processing takes place in the Union or not. It applies to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering goods or services to EU citizens (irrespective of whether payment is required) or the monitoring of their behaviour insofar as their behaviour takes place within the Union.

GDPR enforces a higher set of standards for consent than has been the case in preceding legislation. Consent must be freely given, specific, informed and unambiguous. Silence, inactivity or pre-ticked boxes are no longer interpreted as consent under GDPR. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily-accessible form, using clear and plain language. The data subject must be given the right to withdraw his or her consent at any time and without detriment. Consent must be freely given, specific, informed and unambiguous. Silence, inactivity or pre-ticked boxes will no longer be interpreted as consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. The data subject must be given the right to withdraw his or her consent at any time and without detriment.

GDPR also introduces the concept of data protection by design and by default. Simply put, this means that data protection must be built into products and services from the earliest stage of development and not merely as an afterthought. Data Controllers must also implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in a way that is consistent with the principles of data protection by design and by default. Data protection must thus be built into products and services from the earliest stages of development.

Organisations that regularly and/or systematically monitor data subjects on a large scale will be required to appoint a data protection officer. The data protection officer will be responsible for monitoring compliance with the GDPR whereas controllers and processors outside the EU will need to appoint an EU Data Protection Representative. A Data Representative is not a Data Protection Officer (DPO) but a distinct role with its own responsibilities. Having a DPO is therefore not sufficient for extra-EU organisations serving goods, services or content to the EU.

The supervisory authority responsible for GDPR in Malta is the Office of the Information and Data Protection Commissioner (IDPC).

GDPR provides for fines of up to €20 million or 4% of global annual revenue of the preceding financial year, whichever is the higher, for violations of its provisions. GDPR has come into force in May 25, 2018.