Although the GDPR is effective since May 2018, there are still a lot of questions on how GDPR impacts businesses and daily work within an Organization. In line with this, and with the goal to facilitate GDPR understanding, I’ve decided to summarize the most relevant changes on a comparison exercise between the EU Privacy Directive and the GDPR. This is not a comprehensive analysis but a summary of the key changes that came with the GDPR in a very easy language so all business units can understand.

Comparison exercise - EU Privacy Directive & GDPR - Key Privacy Changes

Territorial scope: The GDPR has expanded its territorial scope or applicability. Under the Directive a controller would be subject to the EU Privacy Directive if (1) it has an establishment in the EU or if, (2) it used equipment situated in the EU. The GDPR has modified considerably such requirement and considers that both Controllers and Processors are subject to the GDPR, if: (1) have an establishment in the EU; or (2) offer good or services or monitor the behaviour of data subjects who are in the EU. The big difference was that before the territorial scope was linked to the idea of an establishment and now is linked to the idea of protecting the rights and freedoms of the subjects resident in the EU.

Representative in the EU: The GDPR requires controllers that process personal data from EU data subjects, without an establishment in the EU, to designate a Representative in the EU. This requirement existed already with the Directive however the difference is that before, the Representative should be in each territory of the EU where the controller was processing the data and with the GDPR, the Representative may be located in just one in the territory of the EU without independence of the processing being performed in several different Member Estates (ME’s). Another change regarding the Representative is that now, with the GDPR, the Representative is directly liable for Controller’s compliance, this increases considerably the risk of acting as Representative.

Data Protection Officer: This is a new requirement introduced by the GDPR. Controllers and Processors have to appoint a DPO (Data Protection Officer) in certain circumstances, to be responsible for the processing of personal data. Such DPO doesn’t have liability contrarily to the Data Protection Representative and must be notified to the Supervisory Authorities (SA’s) of the main establishment of the Controller or Processor. When the Controller/Processor doesn’t have an establishment in the EU, the DPO must be notified to the SA’s where the processing takes place, except for Portugal and Germany where we make use of the so called one-stop-shop mechanism as instructed by the SA’s in the respective countries, in such case we notify only the SA where the Representative of the Controller is located.

Data Subject’s Rights: The GDPR has increased the rights of the data subjects, specially by introducing the right to data portability and to submit a claim to the SA. It has also clarified some existent rights, such as the right to access, modify, object or delete personal data.

Consent: The GDPR has introduced stricter requirements on consent comparing to the previous legislation; in order to be valid, consent must be freely given, specific, informed and an unambiguous indication of the data subject's wishes by an express declaration of will. If consent is provided in written sponsor must be able to demonstrate its existence, the Regulation also imposes that it shall be easy to withdraw as to give consent.

Accountability: The GDPR has eliminated the notifications to the SA’s to declare the processing of personal data by a Controller, something that was imposed by previous EU Privacy Directive, however it requires Controllers and Processors to complete a record of processing activities, which shall be provided to the authorities, upon request, in case of inspections or audits.

Processors: The obligations around Processors have increases with the GDPR, Controllers are now obliged to raise more robust contracts in written to ensure that the processing of personal data by a Processor is subject to the necessary guaranties to ensure the confidentiality and security of the data. Same obligations are imposed by the GDPR to the Processors and its Sub-Processors.

International Transfers of personal data: Even though the transfers of personal data to third countries were already regulated by the EU Privacy Directive, the GDPR hasintroduced some alternatives to the already existing appropriate safeguards, such as certifications and sells, that give controllers and processors more options to transfer personal data abroad. In practice, at this moment in time, most organizations will rely on Model Clauses (SCC’s) or on legal derogations (when the latest cannot be raised) to transfer personal data to third countries, however it’s possible that in the future, different and more efficient approaches will be put in place, to transfer personal data from EU to third countries, especially by multinational organizations.

Breach notifications: Under the GDPR and contrarily to previous legislation, breach notifications are now mandatory in all ME’s where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Notification must be done by the Controller within 72 hours of first having become aware of the breach. Processors are also required to notify the Controllers “without undue delay” after first becoming aware of a data breach.

Penalties - Fines imposed by the GDPR are much higher than the ones imposed by the Directive. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) or up to 2% or €10 Million (whichever is higher) depending on the violations.

DCA