The General Data Protection Regulation (GDPR) is a European Union Regulation (Regulation (EU) 2016/679) concerned with the protection and free movement of personal data and the rights of individuals, including children. It replaces the EU Data Protection Directive (95/46/EC) from 1995. As a regulation, the GDPR is a binding legislative act, unlike a directive, which sets out a goal for EU member states to achieve.
After four years of preparation and debate the GDPR was approved by the EU Parliament on the 14th of April 2016 and entered into force on the 25th of May 2016. The enforcement date will be the 25th of May 2018 – at which time those organizations in non-compliance will face heavy fines.
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. With a directive, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
The GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
As EU Data Privacy Directive, the GDPR includes the concepts of a data controller and a data processor. A data controller is an entity that determines the purposes, conditions and means of the processing of personal data, while a data processor is an entity that processes personal data on behalf of the controller.
Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. Personal data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, a device IP address or a mobile device ID.
The conditions for consent have been strengthened. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as it is to give it.
Data breaches which may pose a risk to individuals must be notified to the Data Protection Authority (DPA) within 72 hours and to affected individuals without undue delay.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a different age of consent but this will not be below the age of 13.
GDPR applies to any US company that collects personal data from EU citizens and transfers it out of the EU. An important note for US companies that use the Privacy Shield Framework is that Privacy Shield only addresses the data transfer requirement. A US company, like any companies in the EU must comply with all the requirements of GDPR.
The UK Government has indicated it will implement an equivalent or alternative legal mechanisms (to GDPR). The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO (the Data Protection Officer in the UK) and UK Government as an effective privacy standard.