On May 24th, 2018, the EU Data Protection Directive will be updated for the first time since 1995. The directive is now becoming a regulation – or a comprehensive, enforceable law – and the drastic changes will affect organisations everywhere.
The new set of guidelines are known as the European General Data Protection Regulation, or EU GDPR, and here are 8 key differences:
1. One Set of Rules Across the EU
The EU GDPR is a regulation, not a directive. A directive is a set of rules presented to the entire EU that can then be interpreted and implemented differently by each of the 28 countries within the union.
The new regulation, on the other hand, creates a unified digital economy across the EU, and will be implemented uniformly by one supervisory authority across the entire union.
2. Personal Data Redefined
Under the current directive, each of the 28 countries developed their own interpretation of what constituted personal data. The EU GDPR enforces a strict and broad definition of personal data, referring to any information that could be used, on its own or in conjunction with other data, to identify an individual.
This may mean, for example, that even a phone number stored on its own without an associated name or address falls under EU GDPR guidelines and needs to be properly protected.
3. New Individual Rights
Built into the EU GDPR is a strong focus on citizen rights. Organisations will have to disclose the intended use and duration of storage of the data acquired, and re-solicit permissions each time a new use of the data is proposed.
EU citizens will have to explicitly opt in to the storage, use, and management of their personal data, and will have the right to access, amend, or request the deletion of, their personal data. Additionally, they will be able to object to certain types of processing – profiling for marketing purposes, for example.
4. Mandatory Breach Notification
The EU GDPR requires organisations to report data breaches to the individuals whose data was lost, and to a supervisory authority within 72 hours. The data breached, and the preventative security measures in place at the time of the breach, must then be evaluated to assess repercussions and ensure future compliance.
5. Financial Repercussions
To ensure compliance with the new regulation, steep fines are being put in place. If violations occur, organisations could be charged either 4% of their global turnover or 20,000,000 EUR, whichever is higher.
6. Joint Responsibility
The regulation defines data controllers as organisations who acquire EU citizens’ data, and data processors as organisations who may manage, modify, store, or analyse that data on behalf of or in conjunction with the controllers. Under the regulation, both parties are jointly responsible for complying with the new rules.
This means If an organisation outsources data entry or analysis to a third party, or processes data on behalf of another organisation, both parties are liable.
7. Information Governance
Under the EU GDPR, organisations are required to actively track how and where data are stored and used through the supply chain. This means adopting risk management tools and building security and privacy into their operations by design. Any organisation directly involved with the processing of data, or with more than 250 employees must also appoint a Data Protection Officer.
8. Truly Global Impact
Even though the regulation is being rolled out by the European Union, it has a global impact. Organisations based outside of the EU must comply if they handle, store, manage, or process EU citizens’ personal data. Any companies in the world who sell to European companies, or received data from EU citizens, for example will be affected.
Want to Learn More?
For more information on the new regulation, including a detailed overview and an in-depth Q&A session, check out our recent EU GDPR webinar. In this recorded open discussion, you’ll hear from Andrew Dyson of DLA Piper UK LLP, and Jennifer Sand, CloudLock’s VP of Product Management.