The European Data Privacy Directive (Directive 95/46/EC of the European Parliament), is still the data privacy law in effect today in the European Union. This year, its replacement, the General Data Protection Regulation was adopted and will come into effect in 2018. GDPR will significantly broaden the scope of the data privacy requirements both regarding personas and territory.
Personas
Currently, there are two types of personas involved in data privacy:
With the current Data Privacy Directive, the compliance responsibility is held by the controllers while processors only need to comply with whatever contract provisions the controllers have laid in place. For example, processors do not have to issue a data breach notification unless so requested by the controllers. This situation leaves room for interpretation and weakens data privacy as processors do not tend to invest time and resources into complying.
Territory
Currently, the European Data privacy regulation only applies to entities in the EU and does not apply to entities outside the EU even if they process private information belonging to EU citizens.
Personas
The controller – processor system remains in place with GDPR, but the requirements vary drastically. Along with stronger requirements for controllers, GDPR will enforce requirements on processors as well. Thus, processors are directly required to
The direct consequence of the scope extension brought in by GDPR is the fact that many businesses previously outside the scope of data privacy regulations will fall under their scope. Retailers, online retailers, analytics companies, marketing companies, advertising companies will need to comply with GDPR.
Territory
Perhaps the most important change is the territorial extension of the scope of EU data protection regulations. While before entities outside the EU did not have to bother with the EU Data Privacy Regulation, with GDPR, entities who process private information of EU citizens must also comply even if they are based outside the EU. Hence it no longer matters where the processing takes place as long as the data belongs to EU citizens. This fact massively affects the scope of GDPR because:
A relevant example:
A local authority subcontracts an IT company to deliver cloud-based storage and data management services. In this case the local authority has control over what data is being sent to the cloud and for what purpose, making it the controller. The IT company is the processor as it only manipulates the data without having any control over its contents.
With the current EU Data Protection Directive, the local authority must comply with the requirements, but not the IT company holding the data. Hence, the IT company is not required to implement the necessary security measures which means that the data is actually at risk.
With GDPR, both the local authority and the IT company will have to comply with data protection requirements, thus significantly increasing the levels of data protection and responsibility.
The new GDPR scope removes ambiguities regarding how to apply the regulation depending on where the data is being processed and makes data privacy a concern for everyone processing personal information of EU citizens irrespective of who they are. Thus companies outside EU who have EU clients will need to revisit their processes and plan for compliance. Assessing if the company has EU clients is a process in itself which must be carried out. Companies outside the EU who have EU subsidiaries that act as processors will also need to plan for GDPR compliance. With the increasing adoption of online payment methods and the significant increase of e-commerce, the number of processors increases year by year. Since processors will have responsibilities and will need to comply, the number of companies under the scope of GDPR will increase drastically, compared to the number of businesses under the scope of the EU Data Protection Directive today.
Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.
This post was last modified on August 21, 2023 7:27 am
In the digital world, information is often stored and transferred through files. From the most…
Introduction Data security is more important than ever in today's fast-paced digital world. One critical…
Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…
Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…
File tracking is an important aspect of server administration, and it can help administrators detect…
File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…