The Data Protection Directive was ahead of the curve in its attempt to protect the data of European Union citizens. Here’s how the GDPR updates the old ways for the new world.
Back in 1995, the Data Protection Directive, or Directive 95/46/EC, was enacted to regulate and protect the privacy of the personally identifiable information of European Union citizens.
It suggested companies to inform data subjects when their data is collected, explain who collects it, and once collected, secure that data from potential loss or theft. It also recommended companies to not share personal data with third parties without the consent of data subjects, and that companies should allow for the correction of inaccuracies in the data by subjects. Rounding out the directive, it suggested the collected data should only be used for the stated purpose, and that data collectors should be held accountable.
21 years later, in 2016, the European Parliament and European Council adopted the General Data Protection Regulation (GDPR), which is set to take full effect on the 25th of May. It will effectively supersede and update its legislative ancestor, the ‘95 Data Protection Directive, to strengthen online privacy rights.
One Union, Under Regulation
The original Data Protection Directive merely introduced a set of suggestions that could be individually interpreted by European countries. The GDPR unites all 28 European Union countries under the same data protection regulation, overseen by Data Protection Authorities (DPAs) appointed by each member state to implement and enforce the new rules and protect the rights and freedoms of data subjects.
The previous directive lacked the GDPR’s wide-ranging global sweep, which will improve the rules of corporate data transfer outside the European Union. So, even if your company or organization is located outside of the European Union, it must comply with the GDPR if it manages, processes, or stores the data of European citizens. In other words, if an American company sells a product or service to Europe, it must protect that customer’s sensitive data for potential loss or theft.
Greater Individual Rights
The ’95 directive featured several rights to data subjects, including the right to correct incorrect data and know what collected data was used for, but the GDPR grants even more individual control to citizens over personally identifiable data. Now, data subjects can specifically opt in to the management and storage of their collected data, reject certain uses of collected data, and even request a “right to be forgotten”, or the deletion of their personal data. There’s also a broader definition of sensitive data now, which allows for the protection of children’s privacy and other types of information such as employee or personal phone numbers.
One of the major tenets of the GDPR was not present in the original 1995 direction: the potential for steep penalties against data collectors who fail to comply with the new regulations. In the case of any violation, such as the failure to notify data subjects of a breach (another rule missing from the ’95 directive), DPAs have the right to impose potentially enormous fines of up to 20 million Euros, or four percent of an organization’s global annual turnover, whichever is higher.
Businesses and companies all over the world have had years to prepare for GDPR compliance. But in case your company is still not ready, take a chance and contact eperi for an easier road to compliance.