The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal outside the EU and EEA areas.
The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU.
At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
The reforms are designed to reflect the world we’re living in now and brings laws and obligations – including those around personal data, privacy, and consent – across Europe up to speed for the internet-connected age.
The EU’s data protection laws have long been regarded as a gold standard all over the world. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined so a review of the rules was needed.
In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the1995 Data Protection Directive which was adopted at a time when the internet was in its infancy.
The GDPR is now recognized as law across the EU. Member States have two years to ensure that it is fully implementable in their countries by May 2018.
The timeline below contains key dates and events in the data protection reform process from 1995 to 2018.
The timeline also contains highlights of some of the ways that the GDPR strengthens your right to data protection.
The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.
The European Data Protection Supervisor publishes an Opinion on the European Commission’s Communication.
The European Commission proposes a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy.
The European Data Protection Supervisor adopts an Opinion on the Commission’s data protection reform package.
The Article 29 Working Party adopts an Opinion on the data protection reform proposal.
The Article 29 Working Party provides further input on the data protection reform discussions.
The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favor, 10 against, and 22 abstentions.
The European Data Protection Board will replace the Article 29 working party. The European Data Protection Supervisor will provide the secretariat for this new, independent European body of which all European data protection authorities will be members. The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions, and decisions.
The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission’s proposal with the latest texts from the Parliament and the Council.
The European Parliament, the Council, and the Commission reach an agreement on the GDPR.
The GDPR reinforces a wide range of existing rights and establishes new ones for individuals. These include the:
- Right of data portability: You have the right to receive your personal data from an organization in a commonly used form so that you can easily share it with another.
- Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting you cannot be made on the sole basis of automated processing.
Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Directive of the European Parliament and of the Council of 27 April 2016 on the protection of natural…
The GDPR reinforces a wide range of existing rights and establishes new ones for individuals including:
The right to erasure (Right to be forgotten); you can request that an organization delete your personal data, for instance where your data are no longer necessary for the purposes for which they were collected or where you have withdrawn your consent.
The European Commission proposes two new regulations on privacy and electronic communications and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.
Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. It will be applicable to this day.
Proposal for a Regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [First reading] – Preparation for the trilogy.
Some organizations, for instance, those whose core activities involve regular and systematic monitoring of personal or sensitive data on a large scale as well as public sector organizations, will have to appoint a Data Protection Officer to ensure they comply with the GDPR.
Corrigendum to Regulation(EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Corrigendum to Directive(EU)2016/680 of the European Parliament and of the Council of 27 April 2016…
What does GDPR mean for businesses??
The General Data Protection Regulation (GDPR) is likely to impact smaller companies as a recent study shows that 82%1 of SMEs are unaware of the new legislation and will potentially be hit with large fines when it starts being enforced next year.
The GDPR will replace all the existing data protection laws across Europe and shape the way in which companies handle, protect, and profit from data. All businesses and not-for-profit organizations that process personal data concerning employees, customers, or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU.
In other words, European data protection law will now apply worldwide, and businesses have until 25 May 2018 to prepare.
As a business, the crux of GDPR comes down to how you control and process all data – namely this must be done lawfully and transparently.
Data can only be used and held for a specific purpose and the consent given must relate to that purpose. Under the existing Data Protection Act companies often rely on generic ‘marketing’ consent or even presumed consent unless you are opt-out.
This generic consent or opt-out consent does not comply with GDPR. Under GDPR, you must have documented and evidenced consent for every purpose – if ‘consent’ is the stipulation that you outline (but we’ll get into that later). For example, if someone opts into email marketing you cannot use this consent to send them a letter or call them or their company.
The definition of personal data is also being expanded under the GDPR regulations. Personal data is now defined as any information that can be used to directly or indirectly identify a person or company. Things such as IP addresses and cookies, for instance, can refer back to data subjects.
For many companies, especially those relying on more outbound methods of marketing, this is going to be a significant and potentially costly change to implement.
As mentioned before, your business must choose which route to go down when it comes to housing personal data. The one we’ve mentioned is consent but there are other stipulations that you can legally declare in order to store data for the purposes of contacting individuals or businesses.
As mentioned, you can store someone’s data for the purposes of contacting them if you have specific consent from them.
You can store and process their data if you have a contractual obligation to that person or company.
You can claim a legitimate interest as the reason you’ve processed someone’s data unless that interest is overridden by fundamental rights.
If you have reason to believe that your processing of data is of vital interest to the individual or company.
If it’s in the public interest, you are able to process personal data.
If you are legally obliged to process the data, you will be compliant with GDPR.
Once you declare which route your business is going down, you cannot change your mind. For example, if you send out a blanket consent email and lose a large majority of contacts from your database, you cannot then change those contacts to a legitimate interest, for example, unless you previously declared so. When working with a legitimate interest, you will need to create a Legitimate Interest Assessment (LIA) to protect yourself against any complaints.