The General Data Protection Regulation or Regulation (EU) 2016/679 (the “GDPR”) is the new regulation replacing the directive 95/46/CE and applying to most of the companies and public authorities processing personal data in the European Union from May 25, 2018.
From a directive to a regulation. The new format (Regulation instead of a Directive) is aimed at ensuring a consistent approach and application of privacy rules within the European Union as it applies directly to each Member States without the need of a local law. However, some differences will remain between Member States in specific areas such as data processing relating to employment or freedom of expression (i.e. journalists’ use of personal data).
The territorial scope has been changed. The territorial scope of the GDPR is much wider than the one of the current directive 95/46/EC as companies not established in the European Union may be subject to the GDPR (see “Does GDPR apply to your business?“).
New obligations for data controllers and data processors. Both Controllers (company using personal data for its own business) and Processors (company using data on behalf of Controller) will be subject to new obligations such as holding a register of their activities (for more details see here for controllers and here for processors)
Higher amounts of fines. From less than one million euros today, the amount of the potential fines will be up to 4% of the global annual turnover or 20 million euros whichever is higher. This should encourage any company to take privacy seriously.