One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated).
The GDPR is the successor to the European Union’s Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the European Union (EU) enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.
However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.
Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:
The GDPR needs to fit into the member state’s legal framework.
National legislation is needed to choose from the exemptions permitted by the GDPR.
At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.
Data protection laws
Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.
This list describes a handful of additional points about these laws to keep in mind. Data protection laws:
Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed.
Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).
Apply throughout the world. The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.
Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.
Prevent common misuses of personal data: Organizations often fail to (i) put in place appropriate measures to keep personal data secure (ii) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (iii) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.
Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.
The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:
Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it.
Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it.
Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.
Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA).
Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing.