When the General Data Protection Regulation (GDPR) takes effect, it will replace the Data Protection Directive (DPD) – becoming enforceable by May 25, 2018. The following is a detailed explanation of the differences between the DPD and the GDPR.
1. Personal Data Redefined
GDPR changes the definition of personal data, reflecting changes in technology and the ways that organisations collect data about people. Profiling, or developing a snapshot of an individual’s preferences using browser history, purchase history, and other related activity will no longer be acceptable under the GDPR unless the individual in question has explicitly consented. Comparatively:
Under the DPD, personal data was defined as data such as names, photos, email addresses, phone numbers, addresses, and personal identification numbers (social security, bank account, etc.).
Under the GDPR, personal data is defined as any information that could be used, on its own or in conjunction with other data, to identify an individual. This data includes IP addresses, mobile device identifiers, and geolocation and biometric data (fingerprints, retina scans, etc.). The GDPR also covers data related to an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.
2. Individual Rights
Opt-in and Consent
The GDPR represents progress in privacy considerations; it requires explicit opt-in for the processing of any personal data. Descriptions of data use must be short and straight to the point, and will eliminate one-size-fits-all agreements.
Right to Access
To make the use of personal data more transparent and empower the residents of the EU, the GDPR gives data subjects the right to access their personal data. In other words, they have the right to obtain from data controllers information on how their data is being used, where, and for what purpose. Data controllers must provide this information along with a copy of the requestor’s personal data in an electronic format, free of charge.
Right to be Forgotten
Residents of the EU will also have the right to request that data be transferred from one good or service provider to another, as well as the right to be forgotten. If a person submits such a request, data controllers must erase all the requestor’s personal data, cease further use of that data, and if applicable, halt any third-party use of that data.
3. Data Controllers vs. Data Processors
A key difference between the DPD and the GDPR is that data processors are now regulated under the GDPR. Both data controllers and processors will be jointly responsible for complying with the new rules, meaning if an organisation outsources data entry or analysis to a third party or processes data on behalf of another organisation, both parties are required to abide by the GDPR and are liable for violations.
Under the DPD, only data controllers were held accountable for any mishandling of consumer data.
Under the GDPR, data processors are required to have a contract with data controllers to process personal data. The data processor is the entity liable for the security of personal data.
The controller or processor must appoint a data protection officer when its core activities involve “regular and systematic monitoring of data subjects on a large scale.” The data protection officer will serve as a central point of contact who knows about how the collection or processing of personal data is performed.
4. Information Governance and Security
Privacy: Data Regulation
GDPR requires that organisations consider compliance with the regulation from the inception of systems and processes—that is, that they implement “privacy by design.” In other words, they should consider the privacy of collected data at all steps in the development of business concepts, from the very beginning. Privacy by design also requires that controllers discard personal data when they are no longer using it.
Security: Impact Assessments
For the security of personal data collected and processed by controllers and processors, the GDPR requires that organisations conduct impact assessments for automated data processing activities, large-scale processing of certain kinds of data, and systematic monitoring of publicly accessible areas on a large scale.
5. Data Breach Notification and Penalties
Breach Timeline and Procedures
The GDPR requires organisations to report data breaches to the individuals whose data was compromised and to their supervisory authority within 72 hours. The authority will evaluate the data compromised and the preventative security measures in place at the time of the breach to assess repercussions and ensure future compliance.
Under the DPD, EU member states were free to adopt different data breach notification laws. As a result, when companies suffered data breaches in the EU, they had to research and ensure compliance with each member state.
With the adoption of the GDPR, there will be a single requirement to follow: Data controllers must notify their supervisory authority and individuals affected by a personal data breach within 72 hours of learning about the breach.
The DPD was not nearly as expansive as the GDPR in its geographical reach, partially because it did not plan for the use of digital personal data such as IP addresses. The GDPR states that it applies to the processing of personal data of subjects located in the EU, even if the controller or processor is not established in the EU, making the GDPR a worldwide law.
Summarising, the following are some key changes that will be implemented with the GDPR:
The regulation applies to all companies that process personal data of people residing in the EU
- The regulation applies to all companies that process personal data of people residing in the EU
- Data subjects must be given more information when their data is collected.
- Both consent and explicit consent now require clear affirmative action.
- The minimum age for individuals whose data can be collected is rising from 13 to 16.
- Organizations have 72 hours to notify regulators of data breaches that pose a risk to data subjects.
- There is a single national office for complaints.
- Large data controllers must appoint a data protection officer
By Samantha Beaumont, security consultant, Synopsys