Existing European data protection rules, mainly expressed via the EU Directive 95/46/EC, laid out a respectable foundation for development of EU member states’ national legislations. Although respectable at the time of its introduction (in 1995), it lacked uniformity of data subjects’ rights across the EU and did not provide legal protection from inadequate personal data processing outside of EU.
While co-opting most (but not all) provisions from the 1995 Directive, GDPR remedies these shortcomings by extending its scope of application. It intensifies existing requirements and introduces several new ones for legal entities, in addition to multiplying the adverse effects for noncompliance and negligence.
Changes in scope
The GDPR does not introduce changes in the very textbook definition of “personal information” it encompasses. The categories are widened, however, mostly in the digital sphere. Alongside name, (e-)mail address, medical information etc. (according to the ’95 Directive), an individual’s personal data will extend to: photos and audio/visual formats, financial transactions, posts on social networking websites, device identifiers (computer’s MAC/IP address, mobile phones IMEI number), location data, user login credentials, browsing history and more, as well as genetic information.
As to the GDPR roles, Data Processors become affected with the GDPR requirements, albeit in a more limited scope than Data Controllers (the only parties covered by the Directive 95/46/EC). For further reading see the article EU GDPR controller vs. processor – What are the differences?
Probably the biggest change is an “extra-territoriality” principle, implying that an EU-based residence of Data Controllers is no longer a scope limiter. GDPR stipulates that any organisation in the world which processes personal data of EU residents (or showing intent to draw EU customers) becomes liable to the GDPR provisions. For further reading see the article What is the EU GDPR and why is it applicable to the whole world?
Records of processing activities have already received recognition in the EU Directive 95/46/EC. Directive mandated data controllers are no longer required to enter information regarding its personal data processing activities in the Data Protection Authority’s (online) register. GDPR sets a minimal number of 250 employees as a condition for maintaining the records internally and making them available on demand. This number is not relevant, however, if “processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.” These requirements will also apply to data processors.
Mandatory hiring or outsourcing the Data Protection Officer (DPO) business role remains an obligation for public authorities, while other sectors are required if “core activities:”
- Require “regular and systematic monitoring of data subjects on a large scale,”
- Consist of “processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.”
“Privacy Impact Assessments“ (PIA) get more than rewording to “Data Protection Impact Assessments“ (DPIA). These activities have become obligatory ONLY in high-risk situations (upon consultation with DPA/supervisory authority) and when adding new data processes or new technologies.
Data subject’s consent, as one of the legal bases to processing, receives novelties in terms of informing and “exclusiveness.“ Prior to, or at the moment of collection consent, existing documentation of the organisation’s identity information and description of how the organisation intends to use personal information have to be amended with the explanation of legal basis for processing, specification of data retention periods and elaboration of all an individual’s rights and means to pursue them. The action of providing consent can no longer be passive (implied, so called “opt out”), but an active (“opt in”), unambiguous and conscious act of a well-informed individual.
Consent to processing data of children must be provided by their parents/caretakers, up until the age determined by each EU member state national regulation (between 13 and 18 years).
Existing rights of data subjects from the Directive 95/46/EC are propagated in the new law, supplemented with the two new definitions: right to object to personal data being processed for direct marketing purposes and the right to data portability.
Perhaps the most important novelty comes in the form of obligatory report of data breaches. Each data controller/processor must notify the Supervisory Authority in case of potential or real leakage of personal data without undue delay (max. 72 hours). In certain circumstances, the individual(s) concerned must also be informed of the breach.
The most cited parts of the GDPR are usually those that mention fines, so let’s repeat them here:
- Non-compliance (violating the obligations of the processor and the controller) will result with in fines of up to €10 million, or 2% of annual worldwide revenue, whichever is higher
- Negligence (in case of breach including conditions of consent and infringement of data subject rights) goes even higher – up to €20 million, or 4% of annual worldwide revenue, whichever is higher
Alongside fines more than 20 times larger than EU member states’ maximum state retributions based on the Directive 95/46/EC, an important judicial moment comes with the individual compensation element. This element grants data subjects the right to receive compensation if they have suffered damage because of processing that has not respected the rules, and allows them to file a joint claim (a practice introduced from the UK/US “Common Law” principles).
There is also room for national legislation to draw up additional measures, such as imprisonment of responsible officials of legal entities in violation of the GDPR and subsequent regulations.
There is more discrepancy between the “old” and “new” regulations than the changes covered above, but the most important differences, for most of the organisations, have been touched upon here.
New personal data protection requirements could be a sign of things to come: in the future, EU citizens’ personal data (facts which could be used to identify a person) and privacy information (habits which reveal someone’s lifestyle) will come under much heavier legislator scrutiny, not just across the EU, but also the globe. The European Commission will have a much stronger swing with its now-existent multinational stick.
Click here to download your free EU GDPR Implementation Diagram to learn how to comply with this regulation in an optimal way.