John.E. Giannakakis, CIPP/E, CIPM. CFE, GDPR F+P
Co-Founder @ The DPO Academy
On 14th of April 2016 the European Parliament adopted the new General Data Privacy Regulation ("GDPR") The GDPR is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the GDPR will come into effect on May 25th, 2018 it will replace the 1995 data protection directive ("Directive 95/46/EC").
The new Regulation contains a stricter set of provisions and requirements, including the adjustment of systems to secure "Privacy by Default" and "Privacy by Design", the appointment of Data Privacy Officer in specific cases, the requirement for keeping "Record of Processing Activities" for each legal entity employing over 250 employees or alternatively performing specific types of personal data processing the introduction of the 'Right to be Forgotten" (Article 17) amongst other requirements which broadens and explicitly codifies the right to be forgotten already contained in case law and states, among other things, the obligation to erase Data "without undue delay" if they are no longer necessary to be kept or if consent is withdrawn.
The most critical areas of the GDPR are its aligned and unified enforcement across EU countries, eliminating polyphony of the old regime, which applies at national level only as well as the data transfers both intragroup as well as to Companies outside EEA and Switzerland, as well to the US. GDPR, same as with the EU Data Protection Directive, (95/46/EC) has requirements for the transfer of data to countries outside the EU. Countries still must have an adequate level of protection. The US was not deemed to provide an adequate level of protection under the EU Data Protection Directive, and the solution of choice for most companies for cross-border data transfer was the Safe Harbor Arrangement.
But Safe Harbor was invalidated earlier this year in the Schrems case.