The new EU General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR)

EU Commission is finalizing the European data protection law called General Data Protection Regulation (GDPR) and it will try to approve it by the end of 2015. The law will unify the legal framework at EU level and will focus on new technologies to define the lawful processing of users' data.

So what this really means to application developers?

Currently, the EU data protection legal framework is jeopardized and extremely complex to figure out. At central EU level currently, there are only directives that have been “translated” by each Member State into laws. The most important directives are (out)dated to 1995 - Directive 95/46/EC and 2002 - Directive 2002/58/EC. These directives have resulted in the creation of 28 different data protection laws and legal frameworks representing a huge obstacle for the EU digital economy and for application developers aiming at selling their services across EU.

For example for developers answering the question “Is my application compliant with the EU laws?” can be extremely complex, expensive and sometimes impossible to answer. With the new GDPR, there will be one single law and set of rules to comply with. This will simplify law analysis, implementation and compliance verification at the whole EU level. The GDPR will also focus on new technologies such as Cloud, mobile, and Big Data, defining their roles and acceptable methods of processing of data.

However, for application developers, the GDPR on one side will simplify compliance, while on the other it will set higher and clear privacy standards and it will introduce some new concepts such as the right to be forgotten, one-stop-shop, risk-based approach, privacy by design etc.

For example, GDPR will:

  • propose Privacy by Design as the main set of principles driving application development. Proposed principles and best practices that suggest considering privacy from early stages of app development.
  • mandate Data Protection Impact Assessments (DPIA) only for larger companies or companies where privacy risks will be higher. For smaller companies and start-ups it will not be mandatory anymore.
  • in the case of data breaches, Data Controllers will need to notify their Data Protection Authority within 72 hours.
  • increase fines up to 20 mln. Euro or 4% of the company turnover in case of data breaches.
  • give to application users (i.e. Data Subjects) the possibility to ask for their data to Data Controllers. This is also known as “data portability”.

Generally the GDPR will facilitate developers’ lives simplifying required bureaucracy. However, it will define clearly technical and procedural privacy and security requirements that will need to be satisfied for each kind of applications.

Once approved the Regulation will be immediately valid and applicable. However, it will give a period of 2 years to companies to adapt to it.

The ultimate guide on GDPR and HIPAA compliance

Download our FREE eBook now

You may also be interested in