GDPR is a new set of European regulations that, in a nutshell, set out to codify how a data holder should secure and protect any personal data that they hold. Further, it also codifies the rights of the individual regarding any data held about them. Of course, it being a European regulation, it is obviously a lot more detailed than that.
Firstly, it may be helpful to explain what the difference is between a European regulation and a European directive. Both are legally binding on member states. However, a directive leaves wiggle room for the member states to decide how the stated directive obligation is met, whereas with a regulation, the European Union (EU) dictates both the obligation and the method of fulfilling said obligation.
For an entity such as the EU, regulations allow a unified approach to an issue across all the twenty-nine current member states (more on the impending Brexit and how post-Brexit UK law may look later).
GDPR, as already alluded to, is the European Union’s attempt to ratify into law a common approach to data privacy laws across Europe. It replaces the EU Commission’s directive (Data Protection Directive 95/46/EC), which has been interpreted differently across the member states, causing some confusion for pan-European companies and affected persons. It is important to understand the environment that led to these regulations’ being signed into law.
GDPR’s lineage can be traced back to the Organisation for Economic Co-operation and Development’s (OECD) guidelines on the protection of privacy and transborder flows of personal data. These were set out to protect personal data and the fundamental human right of privacy. The policy defined eight guiding principles:
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
The guidelines were incorporated into national law in many nations across the world and the EU, with notable exceptions. However, they were nonbinding, and the levels of data protection varied greatly even amongst different EU member states. This led to the EU’s first attempt at pan-European harmonization and rationalization, Directive 95/46/EC. The directive set out guidelines regarding the transferal of personal data to counties outside the EU and established independent Data Protection Authorities in each member state. On the whole, the directive stayed true to the original recommendations of the OECD and to the core concept of the right to privacy’s being a human right. Now, even though Directive 95/46/EC was supposed to codify the relevant laws of all member states, it was still a directive. (Remember what I said about a directive? You must do it, but how you do it is up to you.) This led to a mismatch of often-conflicting rules and regulations across the member states. This, coupled with changes to data usage and the growth of the Internet (remember that in 1995, only 1% of the European population utilized the Internet, and concepts like social media and cloud storage were not even a digital twinkle in anybody’s eye) led to the need for a massive overhaul of the regulations. However, it is important to understand that the main principles of GDPR are still guided by the previous directive and the OECD guidelines, and that GDPR is meant to update data privacy standards to fit the needs of today’s technology.
For a fuller and more detailed explanation of these events, read “How did we get here?”
How Do the GDPR Rules Affect Reality?
GDPR becomes enforceable on May 25, 2018, in all member countries of the European Union, including the UK, as Brexit will not have taken effect until March 29, 2019, at the earliest. How will this affect how you, as a business or an individual, deal with private data? GDPR is big on sanctions, with a fine of up to 4% of annual global turnover or 20 million euros. This fine applies to any organization, including those located outside of the EU if they offer goods or services to, or “monitor the behaviour” of, EU data subjects for the most serious of infringements, for example not having consent from a customer to process their data, or violating the core tenants of privacy, either by lack of technical protections or design. Further sanctions are tiered, up to 2% of global turnover for not having data records in order (article 28); not notifying the supervising authority and the data subject about a data breach, or not conducting an impact assessment.
To me, it seems that GDPR is not really about protection, but about sanctions. It is going to be a revenue generator for the EU. GDPR is currently about shutting the barn door after the horse has bolted. That said, going forward it may instill a privacy-minded design process. Any companies that engage in large-scale and systematic monitoring or large-scale processing of sensitive personal data, and any public authority, will have to engage a data protection officer. When your name is on the door for a potential 20 million euro fine, you had better be on the ball with your processes. It will be interesting to see how this new rule can actually be monitored and policed.