The General Data Protection Regulation or Regulation (EU) 2016/679 (the “GDPR”) is the new regulation applicable in the European Union and replacing the directive 95/46/EC. Aimed at strenghtening the protection of individual’s personal data, it is applicable since May 25, 2018. Here is a high level summary of the main changes brought by the GDPR.
From a directive to a regulation. The new format (Regulation instead of a Directive) is aimed at ensuring a consistent approach and application of privacy rules within the European Union as it applies directly to each Member States without the need for a national implementation. However, some differences will remain between Member States in specific areas such as data processing relating to employment or freedom of speech etc. (i.e. journalists’ use of personal data).
A wider territorial scope. The territorial scope of the GDPR is much wider than the one of the former directive 95/46/EC. Indeed, companies not established within the European Union may be subject to the GDPR (see “Does GDPR apply to your business?“).
New obligations for data controllers and data processors. Both Controllers (company using personal data for its own business) and Processors (company using data on behalf of Controller) will be subject to new obligations such as holding a register of their activities (for more details see here for controllers and here for processors)
Higher fines. From less than one million euros today, the amount of the potential fines will be up to 4% of the global annual turnover or 20 million euros whichever is higher. This should encourage any company to take privacy seriously.