As you most likely noticed from its name, the GDPR is a regulation. That means it is part of the law and will be adopted just as it is by all the Member States. On the contrast, the Directive could be subjected to interpretation and changes and each Member State was allowed to implement it in a different manner. Based on this idea, until now, under the Directive, each country could form its own definition of what personal data was. Under the GDPR personal data is strictly defined. The definition may be broad, but there is no room for interpretation. Also, the GDPR brings with it new individual rights. We can practically say, the main concern of the regulation is the individual, thus creating new rights makes perfect sense. The regulation brings the mandatory breach notification – you can see more on this topic in our article “What to do in case of a data breach?”
Another big difference between the regulation and the directive is the global impact the GDPR will have. One of its central parts is the individual, the EU citizen, therefore, any organization processing EU citizens’ data will need to comply to the GDPR, regardless of where they are based. New fines for non-compliance are being introduced with the GDPR. Another difference between the two is the joint responsibility of data controllers and data processors for complying with the rules. Security was important under the Directive as well, but it becomes even more central with the GDPR, as the regulation recommends implementing security “by design and by default”. Also, appointing a data protection officer is also mandatory especially for organizations that directly process data or that have 250+ employees.