On 25 March 2018, the European Union started enforcing the General Data Protection Regulation or GDPR. It is a landmark data privacy law that provides individuals control over their personal data and regulates how businesses and other non-government organizations process the personal data of EU citizens.
Note that the GDPR supersedes the Data Protection Directive or DPD, also known as Directive 95/46/EC adopted by the EU in 1995. Nevertheless, it forms part of the greater legal framework for promoting and protecting privacy rights. This article explains the differences between GDPR and DPD, thus explaining further the key changes in the new EU data privacy law.
GDPR vs. Data Protection Directive: What are the Key Changes?
1. Definition of Personal Data
DPD defined personal data as any information relating to an identified or identifiable natural person or data subject. Examples of personal data include names, physical address, phone number, email address, photos, social security details, and bank account details, among others.
On the other hand, GDPR provides a more extensive but still concise definition. To be specific, it defines personal data as any information that could be used, either on its own or in association with other data, to identify an individual.
The definition of GDPR reflects developments in technology and communications. Under the new law, personal data now include IP addresses, mobile device identifiers, biometric data such as fingerprints or retinal scans, geolocation, medical records including genetic data, and social and cultural information, among others.
2. Control Over Personal Data
A defining feature of the GDPR is that it gives individuals or data subjects rights or control over their personal data by enforcing new legal concepts such as opt-in and consent requirements, right to access, and right to be forgotten.
The new EU law requires organizations to secure opt-in and consent for the processing of any personal data of individuals. In addition, they are required to provide a short but sufficient explanation on how they will use these personal data through specific GDPR-compliant privacy agreements.
Individuals or data subjects now also have the right to access their personal data, specifically by asking organizations how such are being used, where, and for what purpose. Providing these information should be in an electronic format and free of charge.
The data subjects also have the right to be forgotten. An individual can request an organization to erase his or her personal data, cease further use of such, and whenever applicable, stop a third-party from using such.
3. Data Controllers and Data Processors
Another key difference between the GDPR and DPD is the inclusion of data processors. Before, under the DPD, only data controllers were held accountable for any mishandling of personal data. Under GDPR, both data controllers and data processors are jointly responsible.
The GDPR also requires data processors to have a contract with data controllers for the processing of personal data. The data processor is specifically responsible for the security of these personal data.
Also, the new law requires a data controller or data processor to appoint a data protection officer who will serve as the central point of contact for inquiries about how personal data are collected and processed.
4. Additional Responsibilities for Organizations
GDPR gives organizations additional responsibilities to ensure the security of personal data through the concept of privacy data. This concept requires a particular organization to consider the privacy of collected personal data at all steps of business development and operations.
Organizations are also required to conduct impact assessments for automated data processing activities, large-scale processing of particular types of personal data, and systematic monitoring of publicly available areas to promote security further.
5. Protocols for Data Breach and Penalties
The GDPR is a stringent data privacy law compared to the Data Protection Directive. It requires an organization to report instances of a data breach within 72 hours to affected data subjects and supervisory authority.
Note that DPD allows EU member countries to adopt different protocols for data breach, particularly the processes for notifying data subjects. GDPR streamlines and standardizes the protocol.
5. Extensiveness of the GDPR
Compared to the DPD, the General Data Protection Regulation is more extensive. A key change introduced in the GDPR is that it applies to all businesses and non-government organizations that process personal data of individuals residing in the EU. What this means is that the law applies even to organizations that do not have a physical presence in the EU.
Other key changes in the GDPR are the need to provide data subjects with detailed information as regards how their personal data are collected, processed, and used; setting of minimum age for individuals whose personal data can be collected from 13 to 16; the need to appoint data protection officers for large data controllers, and the establishment of a single national office for complaints.