You may have heard this acronym many times over the past few months. GDPR is the General Date Protection Regulation (EU) 2016/679, enacted by the European Parliament and Council. It has the status of a binding law throughout the EU. The GDPR was adopted on April 27th, 2016 and will come into effect May 25th, 2018. The GDPR concerns how private data is collected, handled, stored, protected, conveyed, used and generally processed in every way. The GDPR replaces the EU directive 95/45/EC which was the major EU legislation with respect to data privacy up until now. There are many differences between the Directive and the GDPR, some the most prominent of which are:
1. Directive Vs. Regulation. A Directive sets forth guidelines for the EU member states, which then need to be adopted and implemented into the state legislation concerning data privacy, by each of the EU member states. The GDPR is a regulation that actually sets forth binding rules that require no further state legislation in order to take effect in each of the EU member states, and thus it helps achieves a more harmonized legal platform concerning data privacy in the EU (although the GDPR still leaves, in certain issues, some leeway for local legislation).
2. Scope. While the Directive only applied within the EU, the Directive, through defining a very broad material scope of applicability, applies to many entities worldwide, even such that have no presence in the EU. [If you want to learn more about the GDPR material scope, click here]
3. Enforcement and Sanctions. The GDPR introduces heavy fines and dedicates a lot of attention to enforcement and punishment. [if you want to learn more about the sanctions and enforcement of the GDPR, click here]
4. Data Subject Rights. GDRP re-enforces existing data subject rights, anchors case-law rights (such as, the right to be forgotten), and also introduces new data subject rights (such as, the right of portability, right of suspension of processing, the right of data subjects to receive full account on private data held by controllers/processors).