Chapter 1: Introduction – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 1: Introduction – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Background

Directive 95/46/EC

The EU's existing data protection regime is set out in the Directive. The Directive (as with all EU Directives) did not apply automatically, and had to be transposed into the national laws of each Member State. Inevitably, the national legislatures of the Member States applied their own interpretation of the Directive, resulting in a "patchwork" of similar but not identical data protection compliance requirements across the EU. Even where the laws of Member States are essentially similar, each DPA interpreted and enforced those laws differently. As a result, organisations trying to do business in the EU have found that they are faced with inconsistent data protection compliance requirements between Member States.

Societal and technological developments

In the period since the Directive was drafted in the mid‑1990s there have been significant changes in the ways in which people use information, both in business and personal contexts. Many tools and devices that are commonly used today (such as smartphones, fitness trackers and connected cars) did not exist at that time. Consequently, the Directive has had to be adapted to apply to an increasingly interconnected world that it was not designed for. The Directive is therefore in need of updating.

 

The GDPR

Aims of the GDPR

To address the difficulties arising under the Directive, the EU has created a new data protection regime—the GDPR. The GDPR is intended to harmonise data protection law across the EU, by removing the need for national implementation. In theory, this will mean that organisations face more consistent data protection compliance requirements across the EU. However, as set out in Chapter 17, there are several areas that remain unharmonised. In these areas, compliance requirements continue to vary from one Member State to the next. The GDPR is also designed to address technological and societal changes that have taken place over the last 20 years by adopting a technology-neutral approach to regulation.

Status of the GDPR

The GDPR entered into force on 24 May 2016. However, enforcement of the GDPR will not begin until 25 May 2018 (the "GDPR Effective Date"). Organisations therefore have a limited window in which to ensure that their data processing activities are compliant with the requirements of the GDPR. The national laws implementing the Directive in each Member State will continue to apply until the GDPR Effective Date. However, the process of becoming compliant with the GDPR will take much planning and a significant amount of time. Organisations should begin this process as soon as possible.

 

Purpose of this Handbook

Identifying the Issues

EU data protection law affects all organisations in the EU (and some organisations outside the EU—see Chapter 4). Many organisations that had few or no compliance responsibilities under the Directive have new or increased obligations under the GDPR. Because the GDPR applies across a very wide range of topics and across all business sectors, it is important for organisations to consider the topics that the GDPR covers, and the practical impact that each topic will have on their respective operations. This Handbook is designed to enable privacy professionals and legal functions within an organisation to quickly identify the issues that are of primary importance to that organisation, and determine how best to address those issues.

Comparing the Directive and the GDPR

In light of the fundamental changes that the GDPR will bring about, an important feature of this Handbook is the comparison between the requirements of the Directive and the GDPR, respectively. By illustrating the differences and similarities between the Directive and the GDPR, this Handbook provides organisations with clear guidance on which compliance requirements change, which requirements do not change, and how organisations should respond.

 

Structure of this Handbook

This Handbook takes a thematic approach to EU data protection law, addressing the core topics that affect organisations.

Each Chapter provides an analysis of a particular topic, incorporating the features set out below.

The meanings of defined terms are set out in the Glossary in Chapter 20.

 

An overview of the Chapter

In the first section of each Chapter (in Chapters 3 to 19), there is a brief summary covering the following key issues:

Why does this topic matter to organisations?

This section explains the reasons why the topic is important from a business perspective. For example, a topic may be important because it affects the ability of organisations to share personal data with third parties.

What types of organisations are most affected?

This section identifies the business sectors that are most likely to be directly impacted by this topic. For example, organisations that rely heavily on consent are most likely to be affected by the higher standards of consent imposed by the GDPR.

What should organisations do to prepare for the GDPR?

This section considers the steps that organisations should take, in order to ensure that they are ready for the changes under the GDPR on this topic. For example, organisations may need to conduct Impact Assessments for certain processing activities.

 

Detailed analysis

The main body of each Chapter (in Chapters 3 to 19) provides a table that reviews each point or issue within the topic. The table has four columns, as follows:

Issue

This column outlines the issue at a high level, and highlights any key points that affect the analysis.

The Directive

This column sets out the position under the Directive.

The GDPR

This column sets out the position under the GDPR.

materially changes

Where there are material differences from the position under the Directive, the "material change" icon appears at the start of the row, and the changes are shown in bold.

does not materially change

Where there are no significant differences, the "no material change" icon appears at the start of the row.

Impact

This column reviews the impact of each issue upon organisations, using one or more of the 'impact' icons. Each icon is explained in more detail below.

 

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

materially changes

Under the GDPR, the position on this issue materially changes (e.g., the GDPR introduces a new obligation that did not previously exist).

positive

The impact of the GDPR on this issue is likely to be positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

neutral

The impact of the GDPR on this issue is likely to be neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

does not materially change

Under the GDPR, the position on this issue does not materially change (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

negative

The impact of the GDPR on this issue is likely to be negative for most organisations (e.g., because the GDPR introduces a new obligation on organisations).

unknown at this stage

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

 

NEXT CHAPTER
Chapter 2: Preparing for the GDPR

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP