When the General Data Protection Regulation (GDPR) takes effect, it will replace the Data Protection Directive (DPD), also known as Directive 95/46/EC, of 1995. Adopted April 27, 2016, the GDPR will become enforceable May 25, 2018. The following is a detailed explanation of the differences between the DPD and the GDPR, as well as new regulations in the GDPR.
Personal data redefined
The most important change in the GDPR is the definition of personal data. The GDPR reflects changes in technology and the ways that organizations collect data about people. Overall, the change is deemed to be good for privacy but bad for existing marketing and sales techniques. Profiling, or developing a snapshot of an individual’s preferences using browser history, purchase history, and so on, will no longer be acceptable under the GDPR unless the individual in question has explicitly consented.
Under the DPD, personal data was defined as data such as names, photos, email addresses, phone numbers, addresses, and personal identification numbers (social security, bank account, etc.).
Under the GDPR, personal data is defined as any information that could be used, on its own or in conjunction with other data, to identify an individual. This data includes IP addresses, mobile device identifiers, and geolocation and biometric data (fingerprints, retina scans, etc.). The GDPR also covers data related to an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.
Opt-in and consent
The purpose of the GDPR is to give residents of the EU better control over how their data is used, and even whether their data is used at all. The GDPR represents progress in privacy considerations; it requires explicit opt-in for the processing of any personal data, and consent for the use of personal data must be informed, specific, and unambiguous. The regulation could very well put an end to long-drawn-out user agreements, which users hardly ever read; descriptions of data use must be short and straight to the point. More importantly, consumers cannot be asked to agree to contract terms in exchange for their consent, and different types of data will require separate consent, eliminating one-size-fits-all agreements. In other words, silence and inactivity will not constitute consent.
Right to access
To make the use of personal data more transparent and empower the residents of the EU, the GDPR gives data subjects the right to access their personal data. In other words, they have the right to obtain from data controllers information on how their data is being used, where, and for what purpose. Data controllers must provide this information along with a copy of the requestor’s personal data in an electronic format, free of charge.
Right to be forgotten
Residents of the EU will also have the right to request that data be transferred from one good or service provider to another, as well as the right to be forgotten. If a person submits such a request, data controllers must erase all the requestor’s personal data, cease further use of that data, and if applicable, halt any third-party use of that data.
Data controllers versus data processors
A key difference between the DPD and the GDPR is that data processors are now regulated under the GDPR. Both data controllers and processors will be jointly responsible for complying with the new rules, meaning if an organization outsources data entry or analysis to a third party or processes data on behalf of another organization, both parties are required to abide by the GDPR and are liable for violations.
Under the DPD, only data controllers were held accountable for anything that went wrong.
Under the GDPR, data processors are required to have a contract with data controllers to process personal data.
The GDPR defines a data controller as a “natural legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data,” whereas a data processor is defined as a “natural legal person, public authority, agency or other body, which processes data on behalf of the controller.” The data processor is also the entity liable for the security of personal data.
Organizations with 250+ employees, whether controllers or processors, must maintain documentation describing their data protection policies and keep records of their data processing activities. These organizations must also conduct regular impact assessments where there is a high risk of a data breach.
The controller or processor must appoint a data protection officer when its core activities involve “regular and systematic monitoring of data subjects on a large scale.” The data protection officer will serve as a central point of contact who knows about how the company collects or processes personal data.
Information governance and security
Privacy: Data regulation
Under the GDPR, organizations are required to actively track how and where data is stored and used throughout the supply chain. To do so, they must adopt risk management tools and build security and privacy into their operations by design.
The GDPR requires that organizations consider compliance with the regulation from the inception of systems and processes—that is, that they implement “privacy by design.” In other words, they should consider the privacy of collected data at all steps in the development of business concepts, from the very beginning. Privacy by design also requires that controllers discard personal data when they are no longer using it.
Security: Impact assessments
For the security of personal data collected and processed by controllers and processors, the GDPR requires that organizations conduct impact assessments for automated data processing activities, large-scale processing of certain kinds of data, and systematic monitoring of publicly accessible areas on a large scale.
Data breach notification and penalties
Breach timeline and procedures
The GDPR requires organizations to report data breaches to the individuals whose data was compromised and to their supervisory authority within 72 hours. The authority will evaluate the data compromised and the preventative security measures in place at the time of the breach to assess repercussions and ensure future compliance.
Under the DPD, EU member states were free to adopt different data breach notification laws. As a result, when companies suffered data breaches in the EU, they had to research and ensure compliance with each member state.
With the adoption of the GDPR, there will be a single requirement to follow: Data controllers must notify their supervisory authority and individuals affected by a personal data breach within 72 hours of learning about the breach.
Under the GDPR, the breach notification should lay out the nature of the breach, the categories and approximate number of individuals impacted, and the contact information of the organization’s data protection office. The notification should also explain the likely consequences of the breach and what the controller has done to address and mitigate the breach. A data processor who suffers a breach is also required to notify the data controller who owns the data affected “without undue delay.”
For violations such as lacking consent to process data or violating privacy by design, organizations could be charged either 4% of their global turnover or €20 million, whichever is higher. Lesser violations, such as not keeping records in order or not notifying the supervisory authority or data subjects about a breach, could result in a fine of 2% of global turnover.
The DPD was not nearly as expansive as the GDPR in its geographical reach, partially because it did not plan for the use of digital personal data such as IP addresses. The GDPR states that it applies to the processing of personal data of subjects located in the EU, even if the controller or processor is not established in the EU, making the GDPR a worldwide law.
The following are some key changes that will be implemented with the GDPR:
The territorial scope has been increased. The regulation applies to all companies that process personal data of people residing in the EU, regardless of the company’s location.
Data subjects must be given more information when their data is collected.
Both consent and explicit consent now require clear affirmative action, and individuals can revoke their consent to data processing at any time.
The minimum age for individuals whose data can be collected is rising from 13 to 16.
Organizations must delete data that is not being used for its original purpose.
Organizations have 72 hours to notify regulators of data breaches that pose a risk to data subjects.
There is a single national office for complaints.
Large data controllers must appoint a data protection officer.
The supervisory authority can impose fines of up to €20 million (roughly £18 million), or 4% of total global annual turnover for the preceding financial year, if it proves an organization has failed to comply with the GDPR.