Prior to the GDPR, the EU's data protection regime was governed by the Directive. The Directive (as with all EU Directives) did not apply automatically, and had to be transposed into the national laws of each Member State. Inevitably, the national legislatures of the Member States applied their own interpretation of the Directive, resulting in a "patchwork" of similar but not identical data protection compliance requirements across the EU. Even where the laws of Member States were essentially similar, each DPA interpreted and enforced those laws differently. As a result, organisations trying to do business in the EU found they faced inconsistent data protection compliance requirements between Member States.
Societal and technological developments
The Directive was drafted in the mid-1990s. In the period between then and the GDPR coming into force, there were significant changes in the ways in which people used information, both in business and personal contexts. Many of the tools and devices now in common use (such as smartphones, fitness trackers and connected cars) did not exist at that time. Consequently, the Directive had to be adapted to apply to an increasingly interconnected world that it was not designed for. The Directive therefore needed updating.
Aims of the GDPR
To address the difficulties arising under the Directive, the EU created a new data protection regime—the GDPR. The GDPR is intended to harmonise data protection law across the EU, by removing the need for national implementation. In theory, this means that organisations face more consistent data protection compliance requirements across the EU. However, as set out in Chapter 17, there are several areas that remain unharmonised. In these areas, compliance requirements continue to vary from one Member State to the next. The GDPR is also designed to address technological and societal changes that have taken place over the last 20 years by adopting a technology-neutral approach to regulation.
GDPR is now the law
The GDPR entered into force on 24 May 2016. However, enforcement of the GDPR did not begin until 25 May 2018 (the "GDPR Effective Date"). Organisations had two years to ensure that their data processing activities complied with the requirements of the GDPR. GDPR compliance is a continuous process and organisations should continue their efforts to achieve and maintain compliance. Ensuring continued compliance with the GDPR requires Organisations to provide sufficient resources and support to those responsible for managing GDPR compliance and risk.
Purpose of this Handbook
Identifying the issues
EU data protection law affects all organisations in the EU (and some organisations outside the EU—see Chapter 4). Many organisations that had few or no compliance responsibilities under the Directive have new or increased obligations under the GDPR. Because the GDPR applies across a very wide range of topics and across all business sectors, it is important for organisations to consider the topics that the GDPR covers, and the practical impact that each topic has on their respective operations. This Handbook is designed to enable privacy professionals and legal functions within an organisation to quickly identify the issues that are of primary importance to that organisation, and determine how best to address those issues.
Comparing the Directive and the GDPR
In light of the fundamental changes that the GDPR brought about, an important feature of this Handbook is the comparison between the requirements of the Directive and the GDPR, respectively. By illustrating the differences and similarities between the Directive and the GDPR, this Handbook provides organisations with clear guidance on which compliance requirements have changed, which requirements have not changed, and how organisations should respond.
Structure of this Handbook
This Handbook takes a thematic approach to EU data protection law, addressing the core topics that affect organisations. Each Chapter provides an analysis of a particular topic, incorporating the features set out below. The meanings of defined terms are set out in the Glossary in Chapter 19.
An overview of the Chapter
In the beginning of each Chapter (in Chapters 3 to 18), there is a brief summary covering the following key issues:
Why does this topic matter to organisations?
This section explains the reasons why the topic is important from a business perspective. For example, a topic may be important because it affects the ability of organisations to share personal data with third parties.
What types of organisations are most affected?
This section identifies the business sectors that are most likely to be directly impacted by this topic. For example, organisations that rely heavily on consent are most likely to be affected by the high standards of consent imposed by the GDPR.
What should organisations do to comply with the GDPR?
This section considers the steps that organisations should take, in order to ensure that they are compliant with the GDPR on this topic. For example, organisations may need to conduct Impact Assessments for certain processing activities.
A table of detailed analysis
The main body of each Chapter (in Chapters 3 to 18) provides a table that reviews each point or issue within the topic.
The table has four columns, as follows:
|Issue||The Directive||The GDPR||Impact|
This column outlines the issue at a high level, and highlights any key points that affect the analysis.
This column sets out the position as it was under the Directive.
This column sets out the position under the GDPR.
Where there are material differences from the position under the Directive, the "material change" icon appears at the start of the row, and the changes are shown in bold and underlined.
Where there are no significant differences, the "no material change" icon appears at the start of the row.
This column reviews the impact of each issue upon organisations, using one or more of the 'impact' icons:
Each icon is explained in more detail below.
Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).
Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).
The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).
The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).
The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).
The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 1: Introduction
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP