The old EU data protection directive compared to the new GDPR act. What are the main differences?
As things stood till recently, personal data protection was harmonized within EU Member States by the Data Protection Directive (DPD) 95/46/EC, which is now being replaced - or upgraded - by the General Data Protection Regulation (GDPR), primarily to ensure a more predictable and controlled environment for entities collecting and processing personal data. With GDPR coming into force on 25 May 2018, we have summarised how it differs from the previous Data Protection Act, and the key implications for business.
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The new EU data protection rules will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens are also required to appoint a representative in the EU.
Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. These rules apply to both data controllers and data processors.
This is a mandatory "compliance demonstration" mechanism under the GDPR act, which is not mentioned under DPD. Organizations are likely to face initial administrative and financial burdens in order to maintain records of processing activities.
Where the previous EU data protection rules allowed data controllers to rely on implicit and "opt-out" consent in some circumstances, (for example, tick here if you don't wish to receive offers), the GDPR requires the data subject to confirm agreement by "a statement or a clear affirmative action." The new law maintains the distinct requirements for processing "special categories of personal data" that were present in the Directive, but it expands the range of what is included in those special categories. The new rules also introduce restrictions on the ability of children to consent to data processing without parental authorisation.
The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) in some circumstances, their role being that of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.The new EU Data Protection rules state that entities must appoiont a Data protection officer if:
One may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.The GDPR also allows organisations to outsource the DPO role to an external provider.
Would you like to find out more about GDPR and how it will impact your business? Grant Thornton has a dedicated team to help you ensure that when the time comes, you have everything covered. Email us find out more how to make your business compliant with the new EU Data protection regulations.
