What It Is

Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), is a directly applicable EU regulation. It modernizes data privacy, protecting personal data of EU individuals with global reach via extraterritorial scope. Its risk-based accountability approach mandates demonstrating compliance through measures like DPIAs.

Key Components

• Seven core principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
• Enhanced data subject rights: access, rectification, erasure (right to be forgotten), portability, objection.
• Obligations include DPO appointment, Records of Processing Activities (ROPA), 72-hour breach notifications.
• Enforcement via fines up to €20M or 4% global turnover; one-stop-shop for cross-border cases.

Why Organizations Use It

Mandatory for processing EU data, it ensures legal compliance, mitigates massive fines, manages risks from breaches/transfers. Builds trust, inspires global standards (e.g., LGPD, CCPA), enables secure Digital Single Market participation.

Implementation Overview

Involves gap analysis, policy updates, training, DPIAs, DPO designation. Applies to all sizes processing EU data, globally. No certification but ongoing audits by DPAs; two-year transition highlighted complexity for SMEs.

What It Is

REACH (Regulation (EC) No 1907/2006) is a directly applicable EU regulation governing the Registration, Evaluation, Authorisation and Restriction of Chemicals. Its primary purpose is to ensure a high level of protection for human health and the environment from chemical risks while promoting innovation. It employs a responsibility shift to industry, requiring manufacturers and importers to generate and submit data on substances.

Key Components

• Four pillars: Registration (>1 tonne/year), Evaluation (dossier checks), Authorisation (SVHCs on Annex XIV), Restriction (Annex XVII bans/limits).
• Technical annexes (I-XVII) detail data requirements, SDS rules, exemptions.
• Built on risk-based assessments, Chemical Safety Reports (CSRs) for >10 tonnes/year.
• Continuous compliance model with no certification but ECHA submissions and national enforcement.

Why Organizations Use It

• Legal obligation for EU market access; penalties for non-compliance.
• Manages supply-chain risks, avoids market bans.
• Drives substitution, enhances ESG reputation.
• Builds stakeholder trust via transparency (Article 33 SVHC info).

Implementation Overview

• Phased: gap analysis, inventory, dossiers, monitoring.
• Applies to manufacturers/importers/downstream users in chemicals/manufacturing.
• EU/EEA scope; ongoing audits, no central certification.