In about a year and three months the most comprehensive piece of EU legislation in the digital area will apply. The General Data Protection Regulation (GDPR) is a Regulation type EU law, in contrast to the Directive it replaces. A Directive sets a goal for the Member States to work towards, whereas a Regulation is immediately applicable throughout the Union. In other words, with a Regulation, the EU tried to make the new legislation as uniform as possible. The Member States still have to authorize the competent agencies through national legislation, but the rules are the same all over the Union.
It’s all about the citizens
The most important aspect of the GDPR is that it’s oriented towards the citizens. It’s all about “personal data”. This is defined as “any information relating to an identified or identifiable natural person (“data subject”)”. This means that any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and data controllers and processors established in the EU, will be subject to the GDPR.
Detailed records of the data processing must be kept by processors and controllers and must be made available for inspection by the supervising authority (with a limited exception for SME’s that fulfill certain criteria). There are enhanced rights for the data subjects. The right to be forgotten, the right to restriction of processing and the right to data portability.
The practical implication of the new rights (in particular data portability) will probably present a huge operational and technical challenge for organisations. Furthermore, the GDPR has the goal to obtain “privacy by design”, which means that the objective for businesses is to design products and services with the rights of individuals at the forefront. Privacy will be a requirement from the outset of every new project. This new way of thinking will force businesses into new operations.
More info on what this means for your business will follow soon...