The EU's existing data protection regime is set out in the Directive. The Directive (as with all EU Directives) did not apply automatically, and had to be transposed into the national laws of each Member State. Inevitably, the national legislatures of the Member States applied their own interpretation of the Directive, resulting in a "patchwork" of similar but not identical data protection compliance requirements across the EU. Even where the laws of Member States are essentially similar, each DPA interpreted and enforced those laws differently. As a result, organisations trying to do business in the EU have found that they are faced with inconsistent data protection compliance requirements between Member States.
Societal and technological developments
In the period since the Directive was drafted in the mid‑1990s there have been significant changes in the ways in which people use information, both in business and personal contexts. Many tools and devices that are commonly used today (such as smartphones, fitness trackers and connected cars) did not exist at that time. Consequently, the Directive has had to be adapted to apply to an increasingly interconnected world that it was not designed for. The Directive is therefore in need of updating.
Aims of the GDPR
To address the difficulties arising under the Directive, the EU has created a new data protection regime—the GDPR. The GDPR is intended to harmonise data protection law across the EU, by removing the need for national implementation. In theory, this will mean that organisations face more consistent data protection compliance requirements across the EU. However, as set out in Chapter 17, there are several areas that remain unharmonised. In these areas, compliance requirements continue to vary from one Member State to the next. The GDPR is also designed to address technological and societal changes that have taken place over the last 20 years by adopting a technology-neutral approach to regulation.
Status of the GDPR
The GDPR entered into force on 24 May 2016. However, enforcement of the GDPR will not begin until 25 May 2018 (the "GDPR Effective Date"). Organisations therefore have a limited window in which to ensure that their data processing activities are compliant with the requirements of the GDPR. The national laws implementing the Directive in each Member State will continue to apply until the GDPR Effective Date. However, the process of becoming compliant with the GDPR will take much planning and a significant amount of time. Organisations should begin this process as soon as possible.
Purpose of this Handbook
Identifying the Issues
EU data protection law affects all organisations in the EU (and some organisations outside the EU—see Chapter 4). Many organisations that had few or no compliance responsibilities under the Directive have new or increased obligations under the GDPR. Because the GDPR applies across a very wide range of topics and across all business sectors, it is important for organisations to consider the topics that the GDPR covers, and the practical impact that each topic will have on their respective operations. This Handbook is designed to enable privacy professionals and legal functions within an organisation to quickly identify the issues that are of primary importance to that organisation, and determine how best to address those issues.
Comparing the Directive and the GDPR
In light of the fundamental changes that the GDPR will bring about, an important feature of this Handbook is the comparison between the requirements of the Directive and the GDPR, respectively. By illustrating the differences and similarities between the Directive and the GDPR, this Handbook provides organisations with clear guidance on which compliance requirements change, which requirements do not change, and how organisations should respond.
Structure of this Handbook
This Handbook takes a thematic approach to EU data protection law, addressing the core topics that affect organisations.
Each Chapter provides an analysis of a particular topic, incorporating the features set out below.
The meanings of defined terms are set out in the Glossary in Chapter 20.
An overview of the Chapter
In the first section of each Chapter (in Chapters 3 to 19), there is a brief summary covering the following key issues:
Why does this topic matter to organisations?
This section explains the reasons why the topic is important from a business perspective. For example, a topic may be important because it affects the ability of organisations to share personal data with third parties.
What types of organisations are most affected?
This section identifies the business sectors that are most likely to be directly impacted by this topic. For example, organisations that rely heavily on consent are most likely to be affected by the higher standards of consent imposed by the GDPR.
What should organisations do to prepare for the GDPR?
This section considers the steps that organisations should take, in order to ensure that they are ready for the changes under the GDPR on this topic. For example, organisations may need to conduct Impact Assessments for certain processing activities.
The main body of each Chapter (in Chapters 3 to 19) provides a table that reviews each point or issue within the topic. The table has four columns, as follows:
This column outlines the issue at a high level, and highlights any key points that affect the analysis.
This column sets out the position under the Directive.
This column sets out the position under the GDPR.
Where there are material differences from the position under the Directive, the "material change" icon appears at the start of the row, and the changes are shown in bold.
Where there are no significant differences, the "no material change" icon appears at the start of the row.
Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Under the GDPR, the position on this issue materially changes (e.g., the GDPR introduces a new obligation that did not previously exist).
The impact of the GDPR on this issue is likely to be positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).
The impact of the GDPR on this issue is likely to be neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).
Under the GDPR, the position on this issue does not materially change (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).
The impact of the GDPR on this issue is likely to be negative for most organisations (e.g., because the GDPR introduces a new obligation on organisations).
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 1: Introduction
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP