The new General Data Protection Regulation of the EU was voted the 25th May 2016 ans will therefore enter into force the 25th May 2018.
As opposed to its predecessor (which will be in force till then) which was a directive, this will be a regulation. The difference is that a directive has to be transposed by national legislation and is therefore subject to "customisation" by the different national legislations. Thus, companies operating in several EU member states were faced with these different rules. The new regulation also defines some questions which member states can regulate but these mainly concern processing of data by their public services. Companies and nonprofits will have to adapt to the same rules whichever member state of the European Economic Area they operate in. By the "one stop shop" and the rules of co-operation between the national data protection authorities will make easier both for data subjects and data controllers to deal with cases concerning several countries.
They will also benefit from a number of other changes: the new rules concentrate more on accountability and records evidencing compliance than administrative procedures. Even direct marketing can be considered in some cases as legitimate ground for collecting and using personal data. On the other hand, this comes with enforced rights of the data subjects - the famous "right to be forgotten" but also the right to data portability and a clarification of the requirements for consent to be given (which are stricter in the case of "special categories of data", i.e. sensitive data which merit special protection) and requirements for the data controllers (the companies using the data, for example) to have more foresight - privacy by design, privacy by default, privacy impact assessments.
In the following series of posts I will go through the main new and changed features of data protection legislation and give some hints how data controllers can prepare and then comply.
As opposed to its predecessor (which will be in force till then) which was a directive, this will be a regulation. The difference is that a directive has to be transposed by national legislation and is therefore subject to "customisation" by the different national legislations. Thus, companies operating in several EU member states were faced with these different rules. The new regulation also defines some questions which member states can regulate but these mainly concern processing of data by their public services. Companies and nonprofits will have to adapt to the same rules whichever member state of the European Economic Area they operate in. By the "one stop shop" and the rules of co-operation between the national data protection authorities will make easier both for data subjects and data controllers to deal with cases concerning several countries.
They will also benefit from a number of other changes: the new rules concentrate more on accountability and records evidencing compliance than administrative procedures. Even direct marketing can be considered in some cases as legitimate ground for collecting and using personal data. On the other hand, this comes with enforced rights of the data subjects - the famous "right to be forgotten" but also the right to data portability and a clarification of the requirements for consent to be given (which are stricter in the case of "special categories of data", i.e. sensitive data which merit special protection) and requirements for the data controllers (the companies using the data, for example) to have more foresight - privacy by design, privacy by default, privacy impact assessments.
In the following series of posts I will go through the main new and changed features of data protection legislation and give some hints how data controllers can prepare and then comply.
Comments
Post a Comment