Key changes in the GDPR
Last modified: February 8, 2023
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.
The GDPR does not fundamentally change any of the core rules in the 1995 Data Protection Directive. Instead, it extends the Directive’s requirements significantly by introducing a range of new obligations for organizations to support those core rules.
- The Regulation is directly effective in all EU member states from 25 May 2018 without the need for further national legislation. However, some national divergences will remain because member states have limited rights to amend some of the obligations under the Regulation.
- One-stop-shop: Organizations that are established in multiple EU states will be able to nominate a single national data protection authority to act as the lead regulator for all of that organization’s data protection compliance issues in the EU. This should limit the administrative burden for organizations based in multiple countries, which otherwise would have had to interact with a different regulator in each member state they operate in.
- The GDPR applies to all organizations – whether commercial business or public authority – that collect, store or process the personal data of EU individuals, “whatever their nationality or residence”. Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the Regulation and provide the same level of protection of personal data.
- The GDPR directly regulates data processors – Direct obligations are imposed on data processors as opposed to data controllers under the previous EU law – “Data Protection Directive”. Both data controllers and also data processors are responsible for demonstrating compliance not just to the regulator; also to data subjects if necessary.
These legal obligations include: processing personal data only in accordance with the controller’s instructions, restrictions on data sharing without the controller’s consent, return/destruction of personal data upon cessation of relationship, implementing appropriate security measures, maintaining records of personal data, and how it is processed, and providing a much higher level of legal liability should the organization be breached. Organizations and data processors can now be held jointly liable for data breaches
Data controllers are expected to have a written agreement with data processors stipulating adherence with the above obligations to comply with GDPR.
Data subject rights
Sensitive personal data: Stricter controls have been placed on the processing of sensitive personal data, whose definition has been expanded to include genetic and biometric data, such as fingerprints and retina scans. Personal data also includes unique online identifiers, including IP addresses and mobile device identifiers, and geolocation data about an individual.
The purpose for Data Processing: GDPR requires that there must be a least one of the following legal purposes before personal data of data subjects can be processed: Consent, Contract, Legal obligation, Vital interests, Public interest, Legitimate interests
Consent: Data subjects’ consent to process their personal data must be given freely and for the purposes specified. Consent forms should be laid out in clear and simple terms, outlining the purpose of data collection and processing, and onward data transfers to third parties. Silence or inactivity does not constitute consent. Consent from a child under 16 for online services is only valid if authorized by a parent.
Data subject’s rights: GDPR provides EU data subjects with certain rights regarding the control and use of their personal data. These rights are:
- Right to be Informed: Organizations must inform data subjects what personal data of theirs is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties
- Right of access: The GDPR requires companies to provide, at the data subject’s request, confirmation as to whether personal data pertaining to them is being processed, along with the information in a concise, transparent, intelligible, and easily accessible form on categories of personal data being processed, the purpose for such processing, any third party with whom the data is being shared, envisaged period of storage or criteria for determining the duration, and any automated decision-making as regards the use of their personal data like profiling. Companies must be able to provide, free of charge, a copy of the personal data being processed in an electronic format.
- Right to object: Data subjects can at any time object to the processing of their personal data especially if the processing is for marketing purposes including profiling.
- Right to rectification: Data subjects have the right to without undue delay to the rectification of inaccurate or incomplete personal data concerning him or them.
- Right to erasure (“right to be forgotten”): This right enables the data subject to demand complete deletion and removal of personal data without undue delay in the following circumstances:
- The data is no longer needed for the purpose it was collected or processed for;
- Withdrawal of consent by the data subject and where there is no other legal ground to continue with the processing;
- Data subject exercises the right to object to processing and there is no overriding legal/legitimate ground for processing;
- Unlawful processing of personal data;
- Personal data has to be erased to comply with a legal obligation;
- If the personal data relates to a child.
- Right to restriction of processing: Data subjects have the right to request the Controller to stop processing (access and modification) of personal data if:
- Accuracy of personal data is contested by the data subject;
- Continuous processing will be unlawful and the data subject opts for restriction instead of erasure;
- The controller no longer needs personal data for processing purposes, but is still required by the data subject to establish or maintain legal claims;
- The data subject has exercised his right to object but its enforcement is pending the verification of the Controller’s legitimate grounds over that of the data subject.
- Right to Data Portability: In certain cases, the GDPR requires companies to provide mechanisms for a data subject to receive any previously provided personal data in a structured, commonly used, and machine-readable format. Under this provision, the data subject also has the right to request the company transmit the data to another controller or processor, without any hindrance and free of charge.
- Rights Related to Automated Individual Decision-Making and Profiling: This is a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects data subjects.
Profiling: Restrictions are placed on automated processing of personal data with the purpose of evaluating/analyzing data subject, because of the impact it may have on the data subject which can include job denial, refusal of credit application, etc.
- Records of data processing: Data controllers and data processors that process personal data need to comply with a number of obligations to demonstrate compliance including maintaining adequate documentation, by keeping records of data processing activities, appropriate security standards, data protection impact assessments, rules on international data transfers and making these available to the supervisory authority on request. These records need to show what, where, how, and why data is processed.
- Data protection impact assessments (DPIAs) are now a prerequisite before processing personal data using “new technologies” or that is likely to result in a high risk to the rights and freedoms of individuals. An impact assessment identifies and evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk.
- Data protection and privacy by design require organizations to follow Privacy by Design principles and to embed data protection measures – both technical and organizational to protect the rights of data subjects – throughout the design phase of a new product, system, or business process, rather than treating it as an afterthought.
- Appointment of a Data Protection/Privacy Officer: Based on the EU Commission’s writings on the topic, a DPO is required for any enterprise with over 250 employees or for any enterprise processing the personal data of over 5,000 data subjects in any 12-month period. If an organization is a public authority, conducts large-scale systematic monitoring of personal data, or processes large quantities of personal data, it must appoint a DPO, who will ensure compliance with privacy laws.
- Data breach notification: The GDPR introduces a specific obligation on organizations to report any data breach to their supervisory authority as soon as possible and not later than 72 hours of becoming aware of it, except if such breach will cause no harm to the data subject. Where there is a high risk to individuals, those individuals must also be informed without undue delay.
- Enforcement: Under the Data Protection Directive, authorities were limited on punishments imposed on organizations that violated privacy law, however, under the GDPR, the maximum penalties are permitted to attract attention and encourage compliance – regulators are able to impose penalties on organizations for non-compliance of up to 4% of annual global turnover or €20 million, whichever is higher.