The most important change in data privacy regulation in 20 years
What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
A regulation is a binding legislative act. This basically means that it must be applied in its entirety across the EU – it is unnegotiable. However, a directive is a legislative act that sets out a goal for all EU countries to aim for; it’s up to the individual countries to decide how this is done.
The GDPR is going to be a lot stricter; companies can be fined 4% of annual global turnover or 20 million Euros for not following.
When is GDPR being enforced?
The regulation will come into force 25 May 2018.
Key changes –
- Increased Territorial Scope (extra-territorial applicability)
- Breach notification
- Right to access
- Right to be forgotten
- Data portability
- Privacy by Design
Who will be affected by GDPR?
GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
- It will give individuals greater control and rights over their personal data.
- It will bring consistency to data protection practices, eliminating problems arising from the existence of different national variations.
- It will be a one-stop-shop, so businesses only have to deal with one DPA (Data Protection Act).
- It will address new technological developments.
- It’s likely to require organisation-wide changes for many companies across the EU.
- Businesses may have to redesign systems that process personal data or renegotiate contracts with third party data processors.
- Businesses may have to restructure cross-border data transfer arrangements.
- It may lead to adapting new organisational and technical measures.
- Failure to plan ahead and comply with regulations may result in businesses ending up with a hefty fine.