The General Data Protection Regulation ((EU) 2016/679)) known as “GDPR” is a response to the rapid technological changes since the Data Protection Directive (95/46/EC) was implemented into national law.
It will bring about significant changes to the data protection framework in Europe. The GDPR is a regulation designed to harmonise data protection law across the EU and transform the way in which personal data is collected, shared and used globally to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The GDPR will repeal the Data Protection Directive and will be directly applicable in EU member states on 25th May 2018. In the UK the Data Protection Bill (DPB), once it receives Royal Assent, and the GDPR must be read together (see Data Protection Bill).
The GDPR is supplemented by the Directive for the police and criminal justice sector ((EU) 2016/680)) (Law Enforcement Directive) which came into force on 5 May 2016 and EU member states must transpose it into their national law by 6 May 2018.
It will replace Council Framework Decision 2008/977/JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters.
The type and amount of personal data to be processed by relevant parties depends on the reason such data are processed (legal reason used) and what they will be used for. Several key rules should be respected, including:
- personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data you’re processing (‘lawfulness, fairness and transparency’).
- There must be specific purposes for processing the data and must be indicated to individuals when collecting their personal data. Personal data cannot be collected for undefined purposes (‘purpose limitation’).
- Only the personal data that is necessary to fulfil that purpose must be collected and processed (‘data minimisation’).
- It must be ensured that personal data is accurate and up-to-date, having regard to the purposes for which it’s processed, and correct it if not (‘accuracy’).
- Personal data can’t be further used for other purposes that aren’t compatible with the original purpose of collection.
- personal data must not be stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’).
- appropriate technical and organisational safeguards that ensure the security of the personal data must be installed, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).