8 Ways EU GDPR Differs From the EU Data Protection Directive On May 24th, 2018, the EU Data Protection Directive will be updated for the first time since 1995. The directive is now…

8 Ways EU GDPR Differs From the EU Data Protection Directive

Zack Gross

With a passion for all things tech and creative, I spend my time helping people discover how cloud cybersecurity protects and enables businesses all at once.


On May 24th, 2018, the EU Data Protection Directive will be updated for the first time since 1995. The directive is now becoming a regulation – or a comprehensive, enforceable law – and the drastic changes will affect organisations everywhere. 

The new set of guidelines are known as the European General Data Protection Regulation, or EU GDPR, and here are 8 key differences:


1. One Set of Rules Across the EU

The EU GDPR is a regulation, not a directive. A directive is a set of rules presented to the entire EU that can then be interpreted and implemented differently by each of the 28 countries within the union.

The new regulation, on the other hand, creates a unified digital economy across the EU, and will be implemented uniformly by one supervisory authority across the entire union.


2. Personal Data Redefined

Under the current directive, each of the 28 countries developed their own interpretation of what constituted personal data. The EU GDPR enforces a strict and broad definition of personal data, referring to any information that could be used, on its own or in conjunction with other data, to identify an individual.

This may mean, for example, that even a phone number stored on its own without an associated name or address falls under EU GDPR guidelines and needs to be properly protected.


3. New Individual Rights

Built into the EU GDPR is a strong focus on citizen rights. Organisations will have to disclose the intended use and duration of storage of the data acquired, and re-solicit permissions each time a new use of the data is proposed.

EU citizens will have to explicitly opt in to the storage, use, and management of their personal data, and will have the right to access, amend, or request the deletion of, their personal data. Additionally, they will be able to object to certain types of processing – profiling for marketing purposes, for example.


4. Mandatory Breach Notification

The EU GDPR requires organisations to report data breaches to the individuals whose data was lost, and to a supervisory authority within 72 hours. The data breached, and the preventative security measures in place at the time of the breach, must then be evaluated to assess repercussions and ensure future compliance.


5. Financial Repercussions

To ensure compliance with the new regulation, steep fines are being put in place. If violations occur, organisations could be charged either 4% of their global turnover or 20,000,000 EUR, whichever is higher.


6. Joint Responsibility

The regulation defines data controllers as organisations who acquire EU citizens’ data, and data processors as organisations who may manage, modify, store, or analyse that data on behalf of or in conjunction with the controllers. Under the regulation, both parties are jointly responsible for complying with the new rules.

This means If an organisation outsources data entry or analysis to a third party, or processes data on behalf of another organisation, both parties are liable.


7. Information Governance

Under the EU GDPR, organisations are required to actively track how and where data are stored and used through the supply chain. This means adopting risk management tools and building security and privacy into their operations by design. Any organisation directly involved with the processing of data, or with more than 250 employees must also appoint a Data Protection Officer.


8. Truly Global Impact

Even though the regulation is being rolled out by the European Union, it has a global impact. Organisations based outside of the EU must comply if they handle, store, manage, or process EU citizens’ personal data. Any companies in the world who sell to European companies, or received data from EU citizens, for example will be affected.


Want to Learn More?

For more information on the new regulation, including a detailed overview and an in-depth Q&A session, check out our recent EU GDPR webinar. In this recorded open discussion, you’ll hear from Andrew Dyson of DLA Piper UK LLP, and Jennifer Sand, CloudLock’s VP of Product Management.

On-Demand Webinar | BYOQuestions: Gearing Up for EU GDPR Compliance in the Cloud


Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser