On December 17th, 2015 EU Parliament's LIBE committee voted positively on the outcome. The “General Data Protection Regulation” (16GDPR, for short) is expected to be adopted on Spring 2016, becoming mandatory on Spring 2018 among EU countries.
Previous EU law requirements are listed as 95/46/EC, Privacy Directive(95PRVC, for short) and those are still the actual ones.
GDPR vs Privacy Directive in brief
The following table summarize the main differences between next Regulation and past Directive:
|
95PRVC |
16GDPR |
Notes |
|
|
Type |
Directive |
Regulation |
No more addressed by member state by internal law. It is issued directly by EU |
|
User Right |
Erasure |
to be Forgotten |
much more far reaching, considering the information dissemination in Europe |
|
Data Right |
Inventory |
Portability |
now a functional requirement for social networks and cloud providers |
|
Cyber Right |
N/A |
Breach Notification |
Needs to go public, hitting the firm reputation, in 72h |
|
Accountability |
N/A |
Protection Officer |
New Job Role. Direct responsibility |
|
Sanction |
by member state law |
strictly accurate |
up to 4% of the annual worldwide turnover of the preceding financial year |
|
Scope |
EU Company |
EU Resident |
applies to organizations based outside EU processing EU residents’ data |
|
Purpose |
General |
Specific |
95/46/EC: focus on data 16 GDPR: focus on aims (of data) |
Big Data is the most important not covered issue.
GDPR text vs Privacy text in brief
The following table summarize the main differences between next Regulation and past Directive:
|
95PRVC |
16GDPR |
Notes |
|
|
Year |
1995 |
2016 |
It took 20+ year to update the obsolete law |
|
Premises |
72 |
135 |
95/46/EC |
|
#Chapters |
8 |
11 |
New topics: - Specific Data - Implementation |
|
#Articles |
34 |
90 |
More detailed arguments: - Principles - Roles and Processes (Accountability) - Specific Data |
GDPR Structure
The regulation is organized as follows:
|
Ch |
Title |
Art. |
Addressing |
95PVRC |
|
I |
General provisions |
1-4 |
scope, objectives, definitions |
ch I |
|
II |
Principles |
5-10 |
Lawfulness, data processing |
ch II |
|
III |
Right of the Data Subject |
11-21 |
Trasparency, Data Access, Certification, Erasure, |
premises |
|
IV |
Controller and Processor |
22-39 |
Role: Protection Officer |
no |
|
V |
Transfer Data to 3rd Countries |
40-45 |
Safeguards, Binding Rules |
ch IV |
|
VI |
Independent Supervisory Authorities |
46-54 |
Independance, Tasks, Powers |
ch VI |
|
VII |
Co-operation and Consistency |
54b-72 |
Mutal Assistance, EU Data Protection Board |
ch VII |
|
VIII |
Remedies, Liability and Sanctions |
73-79b |
Complaint, Judicial Remedy, Administrative Fines |
ch III |
|
IX |
Provisions related to Specific Data Processing |
80-85 |
Information Freedom, Official Documents, National IDs, employment, scientific, statistical, historical, religious |
no |
|
X |
Delegated Acts and Implementing Acts |
86-87 |
Delegation |
no |
|
XI |
Final Provisions |
88-90 |
Repeal 95/46/EC Relating 2002/58/EC |
N/A |