WHAT IS GDPR?

The General Data Protection Regulation or “GDPR” is a piece of legislation, adopted to replace the current 1995 Directive. The GDPR had a 2-year transitional period ending on the 25th of May 2018. By then all the affected organisations need to implement the measures regarding the protection of personal data.

The GDPR marks the beginning of a new era in personal data protection within Europe mainly for 2 reasons – the fact that it is a Regulation and not a Directive, meaning that member states are required to implement the law on a unified basis thereby creating a “one continent one law” AND the hefty fines introduced by it which highlights the importance of controlling and/or processing personal data of EU data subjects.

What makes GDPR even more powerful is that it is perceived as a global data protection law as a result of  the extraterritorial scope of the GDPR. This represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects. Thus, almost any organization (whether or not they are physically present within the EU will fall within the remit of the GDPR where they have access or control of personal data on EU data subjects).

WHAT’S NEW?

• Requirement of Express/Explicit Consent from data subjects
• New principles regarding processing of personal data (e.g. Data minimisation, Retention period etc.)
• Introduction of new data subject rights (e.g. Right to be forgotten, Data portability etc.)
• The need to appoint a Data Protection Officer (DPO)
• Introduced the concepts of Privacy by Design and Privacy by Default
• New encrypting and security standards for protecting personal data (e.g. Pseydonimisation, Anonymisation, Encryption)
• New and strict procedures regarding the notification in case a data breach occurs
• Increased amount of penalties for failing to comply with the GDPR’s requirements

Check out the following video for a summary of the key changes.