The aim of General Data Protection Regulation (GDPR) is to create a uniform level of data protection in the European Union (EU). Before the EU data protection becomes enforceable, it is crucial for organizations to ensure their compliance with the GDPR requirements. This new regulation will apply to all organizations that process personal data of the EU citizens and will allow them to continuously monitor personal data breaches. The General Data Protection Regulation will enter into force on May 2018 and will replace the Data Protection Act (Directive 95/46/EC). Even though that GDPR and Data Protection Act (DPA) have many similarities, there are still significant changes. With this new regulation, the shape of future data protection’s framework in EU is clear.
Subject to the GDPR won’t be only the companies in the EU, but also the companies outside of EU which are targeting consumers in the EU. In case organizations fail to comply with the GDPR requirements, the penalties can reach up to 2% of an organization’s annual turnover. Also, in the case of more serious infringements, the penalties can amount to 4% of an organization’s annual revenue. Under certain circumstances, the GDPR obliges the organizations to appoint a Data Protection Officer (DPO). The DPO may be employed or work only under a service contract.
The Difference between the Data Protection Act (DPA) and GDPR
Currently, the UK relies on the Data Protection Act legislated in 1998, effective after the withdrawal of the EU Data Protection Directive 1995. The Data Protection Act will be automatically replaced with the enforcement of GDPR.
The Data Protection Act applies only to those in the UK, while GDPR applies to any organization that holds or processes EU citizens` personal data, without taking into consideration if the company is based in the EU or not.
The Data Protection Act requires a negative-opt, whereas with GDPR in place, organizations will be allowed to send e-mails only to people who have opted-in to receive messages.
In case of serious breaches, the Data Protection Act carries fines up to €500K, whereas with GDPR, the fines for serious breaches can be up to €20 million. Such fines could result in the closure of many businesses.
Personal Data Requests
Under the Data Protection Act, organizations were allowed to charge a reasonable fee for data requests, and the rights for erasure were a matter of common law, whereas under GDPR these are free, and data subjects have the explicit right to ask for data erasure.
Under the Data Protection Act, the reporting of data breaches was required only if the breach was also covered by the Privacy and Electronic Communications Regulations 2011, however, under the GDPR, reporting a data breach is mandatory in cases when breaches put at risk the freedom and rights of the individual.