The EU’s primary personal data law, the Data Protection Directive 95/46/ec was replaced by the General Data Protection Regulation (GDPR) which took effect on 25 May 2018.
What Is the GDPR
The General Data Protection Regulation (GDPR) aims to create consistent protection of consumers and the personal data of all individuals within the European Union (EU) and the European Economic Area (EEA). It standardizes data protection law across all 28 EU countries, removing the need for each state to write its own data protection laws. The GDPR also stipulates that any company that markets goods or services to EU residents, regardless of its geographical location, adhere to the regulation.
What Are The Differences between the DPD and the GDPR?
The most important change with the new GDPR is the definition of personal data and the processing of personal data. Its focus is to give consumers control of their personal data collected by companies. This means that it applies to any organization that sells, services, or monitor the behavior of people.
What is the definition of "personal data"?
Under GDPR, personal data is any information relating to an "identifiable person". Identifiable information includes such things as a name, ID number, location, ethnicity, or political standing. Data doesn't have to be confidential or sensitive to qualify as "personal". Personal data includes but is not limited to; name, email, IP address, 3rd party hosted services, email form signups, and contact forms. To better understand the regulation, take a look at the publication of the regulations in the Official Journal of the European Union, which defines all terms related to the law. As defined broadly under European Union competition law the law does not apply to lawful interception, statistical or scientific analysis, or the processing of personal data in a purely personal activity.
What is the punishment for non-compliance?
Non-compliance can result in fines up to 4 percent of the organization's annual global turnover or 20 million euros ($24.6 million), whichever is bigger. There is however a tiered approach to fines, e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors.