The General Data Protection Regulation or Regulation (EU) 2016/679 (the “GDPR”) is the new regulation applicable in the European Union and replacing the directive 95/46/EC. Aimed at strengthening the protection of individuals’ data, it is applicable since May 25, 2018.
What is the GDPR for?
The GDPR is the regulation applicable when a person processes personal data. This means that this person uses data that may identify individuals for various purposes (e.g. profiling, monitoring, marketing, HR, etc.). If this person does so for its own purposes, it will be regarded as acting as a controller and if it is processing data for another person’s purposes, it will be acting as a processor (see here for more details about these notions).
Personal data is any data that directly or indirectly identifies a natural person. This definition is very broad and we may consider that as soon as a controller has enough information to identify an individual, any information relating to him/her the controller may process (including inferred information), can be considered as personal data (e. g. name, eye colour, interests, comments, photos, lifestyle habits, visiting time, emails, history, financial transactions, friends/networks, analysis etc.).
Due to the rise of new technologies and the increasing volume of data collected, it has become easier to analyse the behaviour of individuals or to know their past (e.g. via social network profiles, etc.).
The Regulation aims to address these increased risks of disproportionate or unauthorised intrusion into the private sphere of individuals by applying data protection principles (see here) more strictly, by giving individuals more control over their data and by making persons processing personal data more accountable.
What are the main changes brought by the GDPR?
From a directive to a regulation. The new format (Regulation instead of a Directive) is aimed at ensuring a consistent approach and application of privacy rules within the European Union as it applies directly to each Member States without the need for national implementation. However, some areas remain specific to each Member States such as data processing relating to employment or freedom of speech etc. (i.e. journalists’ use of personal data). Therefore, each Member State has implemented a national data protection law to fill the gaps, where necessary.
A wider territorial scope. The territorial scope of the GDPR is much wider than that of the former directive 95/46/EC. Indeed, organisations not established within the European Union may be subject to the GDPR if they meet some conditions (see “Does GDPR apply to your business?“). This change is aimed at ensuring European standards apply to non-EU based organisations processing personal data of individuals in the EU.
The principle of accountability. Controllers must no longer notify the authorities of their processing activities but in return, they must be able to demonstrate their compliance with the Regulation. This implies new obligations for controllers (see here) and processors (see here). In particular, the controller must comply with principles of data protection by the design and by default when planning to carry out data processing, conduct data protection impact assessments (DPIAs) when the processing is likely to result in high risks to the rights and freedoms of the data subjects and be able to notify the supervisory authority of certain security breaches within 72 hours.
Individuals are given more control over their data and have new rights. Controllers must provide more detailed privacy notice (see here) and rights of individuals over their data are strengthened, more detailed and/or more explicit (e.g. the right to data portability, the right to erasure/to be forgotten, the right to withdraw consent at anytime etc.) (see here for an individual’s rights’ overview).
Increased cooperation between the supervisory authorities (e.g. EDPB, one-stop-shop, consistency mechanism). The GDPR provides for the creation of the European Data Protection Board (EDPB) bringing together the supervisory authorities of each Member State. They must cooperate through a consistency mechanism to ensure uniform application of the Regulation. Besides, as far as cross-border processing is concerned, a one-stop-shop system allows a lead authority to supervise any audit and sanction the offender on behalf of all the other concerned authorities.
Deterrent sanction. From less than one million euros in 2016, the amount of potential fines is now up to either 4% of the offender’s global annual turnover or 20 million euros, whichever is higher. This should encourage any organisation to take privacy seriously.