The European Union’s General Data Protection Regulation will replace the current 95/46/EC Directive by 2018. Unlike the current Directive, the GDPR will be a law and will have to be adopted by all the countries in the EU.

Those familiar with the Directive will soon notice the GDPR is built on the directive – some aspects remaining the same, others change and new rules are added. For instance, the GDPR puts a much greater emphasis on individual rights, while also bringing bigger fines for non-compliance. It has the purpose of re-conciliating country-specific and sometimes conflicting European data privacy laws.

Most importantly, it aims at changing the way organizations that operate in the EU or that collect personal data from the Union’s citizens, approach data privacy.

Empowering citizens regarding their personal data is one of the main objectives pursued through the Regulation.

As a regulation, the GDPR must be immediately applied across the Union, unlike a directive, that must be transposed by each member state into the national law.

WHO IS GDPR FOR?

One of its important traits is that it will impact every entity that holds or uses European personal data whether they operate inside or outside of Europe. In short, no matter where you are in the world, if you sell goods to European citizens or process their personal data, you have to comply to the GDPR. This means the regulation will affect many more business than the current Directive, a positive aspect especially for EU citizens who are now more protected, but a less positive change for those businesses outside of the EU who find themselves having to comply with a new set of rules. This also solves the question many people in the UK have been asking: “does Brexit affect them and their business?” The short answer is that it all comes down to the individuals they work with. As it is unlikely, at least at first, that organizations in the UK will cut down all ties to EU individuals, they should comply to the GDPR, in order to be sure they will avoid unnecessary fines.

DATA PROCESSORS & DATA CONTROLLERS

Other changes organizations should pay attention to are those related to data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data; the processor is an entity which processes personal data on behalf of the controller. Under the Directive, only the controllers were held responsible  for data protection compliance, not the processor. Now, the processors will be placed under a direct obligation to comply with data protection requirements, that only applied to controllers until now. Both the controller and the processor can be either a natural person, a legal one, public authority, agency or other body.

As a data processor you will have a series of obligations according to the GDPR, many of which interwind with those of data controllers. To begin, all data processing has to meet the requirements of the regulation. That means, data controllers can only appoint processors who guarantee to implement enough technical and organizational measures to comply with data processing rules. Also, there must exist a contract between the controller and the processor. Both processors and controllers should implement appropriate security measures. What exactly ‘appropriate’ means will be decided in each case, according to the sensitivity of the data being processed, the risks of a security breach, the cost of the implementation and the nature of the processing.