When the General Data Protection Regulation (GDPR) takes effect, it will replace the Data Protection Directive (DPD), also known as Directive 95/46/EC, of 1995. Adopted April 27, 2016, the GDPR will become enforceable May 25, 2018. The following is a detailed explanation of the differences between the DPD and the GDPR, as well as new regulations in the GDPR. Personal data redefined The most important change in the GDPR is the definition of personal data. The GDPR reflects changes in technology and the ways that organizations collect data about people. Overall, the change is deemed to be good for privacy but bad for existing marketing and sales techniques. Profiling, or developing a snapshot of an individual’s preferences using browser history, purchase history, and so on, will no longer be acceptable under the GDPR unless the individual in question has explicitly consented. DPD Under the DPD, personal data was defined as data such as names, photos, email addresses, phone numbers, addresses, and personal identification numbers (social security, bank account, etc.). GDPR Under the GDPR, personal data is defined as any information that could be used, on its own or in conjunction with other data, to identify an individual. This data includes IP addresses, mobile device identifiers, and geolocation and biometric data (fingerprints, retina scans, etc.). The GDPR also covers data related to an individual’s physical, psychological, genetic, mental, economic, cultural, or social identity. Individual rights Opt-in and consent The purpose of the GDPR is to give residents of the EU better control over how their data is used, and even whether their data is used at all. The GDPR represents progress in privacy considerations; it requires explicit opt-in for the processing of any personal data, and consent for the use of personal data must be informed, specific, and unambiguous. The regulation could very well put an end to long-drawn-out user agreements, which users hardly ever read; descriptions of data use must be short and straight to the point. More importantly, consumers cannot be asked to agree to contract terms in exchange for their consent, and different types of data will require separate consent, eliminating one-size-fits-all agreements. In other words, silence and inactivity will not constitute consent. Right to access To make the use of personal data more transparent and empower the residents of the EU, the GDPR gives data subjects the right to access their personal data. In other words, they have the right to obtain from data controllers information on how their data is being used, where, and for what purpose. Data controllers must provide this information along with a copy of the requestor’s personal data in an electronic format, free of charge. Right to be forgotten Residents of the EU will also have the right to request that data be transferred from one good or service provider to another, as well as the right to be forgotten. If a person submits such a request, data controllers must erase all the requestor’s personal data, cease further use of that data, and if applicable, halt any third-party use of that data. Data controllers versus data processors Liability A key difference between the DPD and the GDPR is that data processors are now regulated under the GDPR. Both data controllers and processors will be jointly responsible for complying with the new rules, meaning if an organization outsources data entry or analysis to a third party or processes data on behalf of another organization, both parties are required to abide by the GDPR and are liable for violations. DPD Under the DPD, only data controllers were held accountable for anything that went wrong. GDPR Under the GDPR, data processors are required to have a contract with data controllers to process personal data.
Posted in Software Compliance, Quality & Standards