What’s the difference between GDPR and the data protection directive?

May 9, 2017 1:01 pm Lisa Kelly

The Data Protection Directive is a European Union directive adopted in 1995 which regulates the processing of personal data within the EU. For all intents and purposes, this directive was fit for purpose at the time.

However, a lot has happened since 1995. For example, the band Steps formed, disbanded, reformed, disbanded again and then formed again (let’s hope they stay together this time, it will be a tragedy otherwise!)

This period also seen the hyper adoption of the internet into our lives. It’s where we shop, socialise, and let’s face it, spend most our days. This has resulted in an incredible amount of data being held on you and me by various companies (perhaps your own) across the globe. Many of which fail to protect it properly.

Worried?

You have every right to be as your data is everywhere and maybe even on sale to the highest bidders online. Some companies may not be too careful with the data as they haven’t had to adhere to robust enough regulation in the past.

But fear not (ba ba daba da) the EU Data Protection Directive is finally being updated for the first time since 1995. Even better it is being changed from a directive to a regulation meaning it’s a proper comprehensive, enforceable law.

With the old directive, it meant that each of the EU states could interpret the rules differently. The new regulation on the other hand means that it is to be implemented in the same way by each of the EU member states with the EU supervising its authority across each member state.

First and foremost, it means that organisations will need to pay special attention to customer data. Companies will need to treat customer data as they would wish their own to be treated.

Data redefined

Citizen rights lies right at the heart of the new GDPR regulation and organisations must disclose the intended use and duration of customer data, and gain permissions each time a new use of their data is suggested.

EU citizens must opt in to the storage, use and management of their personal data and can access, amend or request their data to be deleted.

On top of this –  it is up to organisations to report data breaches to individuals whose data has been lost, and they must do this within a 72-hour timeframe. The responsibility also then falls on the company to evaluate the data breach and put preventative measures in place to ensure it doesn’t happen again.

One of the most eyepopping parts of the new GDPR regulation is the figures involved. To make sure organisations are fully compliant with the new regulation, steep fines will be in place – as much as 4% of their global turnover or 20,000,000 EUR, whichever is higher. Check out the big businesses that paid a big price before GDPR.

But what about Brexit or if my company is based in another region?

Brexit-schmexit. GDPR has a truly global impact. Organisations based outside the EU must comply if they handle, store, manage, or process EU citizens’ personal data. The legislation also comes into effect on May 2018 before Brexit happens. So, Britain will have the same regulations to face as every other EU state, even after they leave the EU.

It’s extremely important for every business with dealings within the EU to fully understand and comply with GDPR law (or face BIG fines!) For more information about GDPR and what you need to do next, click here.