Where are you on your GDPR journey?

General Data Protection Regulation

GDPR  Hero banner

GDPR at a glance

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The objective behind this European regulation was to modernise laws due to rapid technological changes in order to protect the personal information of individuals and to harmonise data privacy laws across Europe. The GDPR gives greater protection and control to individuals over their information and transforms the way organisations handle information from their customers and employees. 

Processing of data covers anything one does with personal data, including holding or storing it either electronically or manually. It is essential that any business that processes personal data about EU citizens complies with the GDPR. 

How does it impact your business?

The GDPR outlines six principles that companies or service providers using customers’ personal data must follow for good data protection practice, namely:


Good data protection practice

1. Lawfulness, fairness and transparency

When collecting data, organisations must ensure that the processing is legitimate. Data subjects have a right to know how and why their data is being collected and used. This ensures a good company-customer relationship and reduces the risk of complaints and/or requests from data subjects.

Collecting Data

2. Purpose limitation

Any organisation must ensure that data is collected for ‘specified, explicit and legitimate’ purposes, limiting processing to the data required and therefore, data collected for one purpose may not be used also for a totally different purpose. 

Purpose limitation

3. Data minimisation

The principle of minimisation requires businesses to make sure that the data processed for a specific purpose is kept to the minimum. Ensuring that processed data is not excessive reduces the risk of complaints by data subjects whilst limiting the need to carry out further exercises to get rid of unnecessary data.

principle of minimisation

4. Accuracy

The GDPR stresses that organisations are obliged to ensure that any data which is inaccurate or incomplete is either set right or destroyed. Data subjects may also request to have their data revised whilst organisations must ensure to make ends meet with such demands without any unnecessary delay.

GDPR Accuracy

5. Storage limitation

Having adequate retention policies and disposal mechanisms in place facilitates the smooth running of the business while ensuring compliance. Storage of data, even in archives, constitutes data processing. This means that data subjects’ rights and controllers’ obligations remain applicable even when the business stops to actively make use of the data. 

Data Storage

6. Integrity and confidentiality

Organisations must ensure that data collected is secured in order to ensure lawful and authorised processing, while protecting against accidental loss, destruction or disclosure. Therefore, organisations must use appropriate ‘technical or organisational measures’. Unsecure data can cause immense damage to an organisation if data is stolen or disclosed to third parties. A data breach leads to considerable obligations to investigate, report and remediate. It may also result in significant penalties.

Integrity and confidentially

How we can help

Your organisation may be just getting started - or may already have a GDPR programme in place. We can help you make the best of this regulation, regardless of where you are on your GDPR journey. Here is how our team can help you with: 

How can we help

Let's change the way we see risk

Contact us

Mark Lautier

Mark Lautier

Tax Partner, PwC Malta

Tel: +356 2564 6744

Ruth Vella

Ruth Vella

Senior Manager, PwC Malta

Tel: +356 7973 8480

Claire Balzan

Claire Balzan

Manager, Tax, PwC Malta

Tel: +356 2564 2410

Lee Ann Agius

Lee Ann Agius

Manager, Tax, PwC Malta

Tel: +356 2564 4027

Follow us