Ready for GDPR? Everything You Need to Know

We live in a data-driven world. From collection to storage, data processing touches almost every aspect of our lives. It comes as no surprise, then, that the previous Data Protection Directive (Directive 95/46/EC) simply could not keep pace with rapid technological developments.

For this reason, the European Commission published legislative proposals in 2012 to reform data protection across the European Union. The goal was to make Europe "fit for the digital age."

At the heart of this reform is the introduction of the General Data Protection Regulation (GDPR), which aims to achieve the following:

Key Changes Under GDPR

Data Processors and Controllers

The GDPR applies to two main categories of data handlers: Data Controllers and Data Processors.

• A Data Subject is any directly or indirectly identifiable person whose personal data is collected, processed, prepared, and stored by the data handlers. This includes applicants, employees, customers, and website users.
• A Data Controller is a natural or legal person who, alone or jointly with others, determines the purposes, means, and methods of processing personal data.
• A Data Processor is a separate natural or legal person commissioned by the Data Controller to process personal data on their behalf and under their strict instructions.

Increased Legal Certainty

A single law governing data protection across Europe helps resolve the previously confusing legal landscape. Under the old system, every member state had its own national laws, leading to significant differences in regulations and sanctions between countries.

Expanded Territorial Scope

While the applicability of Directive 95/46/EC outside the EU was vague, the GDPR makes it clear that geographical location is no longer the deciding factor. The regulation applies to companies that:

• Offer goods or services within the EU;
• Collect, process, and store information belonging to EU citizens or residents, regardless of whether the activity takes place within the EU.

Essentially, if an EU resident goes on holiday to China and stays in a hotel, that hotel is still obliged to protect their data and rights, as it is collecting data relating to an EU citizen.

Stricter Sanctions

Under the old Directive, fines varied from country to country. For instance, under the previous Data Protection Act (Chapter 440 of the Laws of Malta), fines were capped at €23,000.

Under the GDPR, the Office of the Information and Data Protection Commissioner (IDPC) can impose fines starting at €10 million or 2% of global annual turnover. Depending on the severity of the breach, these can rise to a maximum of €20 million or 4% of global annual turnover.

Determining the appropriate penalty is not automatic. Authorities must consider:

• The nature, gravity, and duration of the infringement;
• Whether the breach was intentional or negligent;
• Any actions taken to mitigate damage to data subjects;
• The degree of responsibility;
• Any previous infringements.

New Obligations

• Proof of Compliance (Accountability): Beyond implementing technical and security measures, Controllers are responsible for documenting the measures taken, their effectiveness, and how they are reviewed and updated.
• Transparency: Controllers generally have an obligation to inform data subjects—in simple and precise language—about their rights and how their personal data is collected, used, and stored.
• Appointing a Data Protection Officer (DPO): To facilitate compliance, public bodies are legally required to appoint a DPO. The DPO is responsible for conducting regular checks and assessments, promoting a culture of data protection, and acting as a bridge between the company, data subjects, and the regulatory authority.
• Monitoring Processors: Controllers must conduct detailed due diligence to ensure that Data Processors provide sufficient guarantees (i.e., security controls) in line with GDPR requirements.

Liability

Under Directive 95/46/EC, Data Controllers essentially acted as a shield for Data Processors. Under the GDPR, data subjects can take action directly against Data Processors and claim compensation for material or non-material damage.

Breach Notification

Under the old Directive, breach reporting was only mandatory for the electronic communications sector.

Now, any organisation that collects, processes, and/or stores data is obliged to report personal data breaches to the supervisory authority within 72 hours, including weekends and public holidays. Failure to report within this timeframe—especially where there is a high risk to data subjects—significantly increases the liability of the Controller, as reporting is a statutory obligation.

Data Protection by Design & Default

From the very beginning—before buying a new system, starting a new process, or opening a new service line—Controllers must ensure data protection is built in.

Controllers must ensure that:

• Data Minimisation is applied: only strictly necessary data should be collected. Collecting data "just in case" for future use is no longer an acceptable excuse.
• Purpose Limitation is respected: processing is limited to the specific purpose for which the data was collected.
• Security Measures are in place: data must be protected via encryption, anonymisation, secure passwords, and backups (though no system is 100% infallible).
• Impact Assessments (DPIA) are conducted beforehand if the processing involves risks to data subjects.
• Access Control is enforced: data should only be viewed by authorised personnel when absolutely necessary.
• Documentation is maintained for all processing activities.

Simplified Consent Structure

Consent must meet the following requirements:

• Freely given
• Specific
• Positive Opt-In (no pre-ticked boxes)
• Unambiguous
• Informed
• Documented

The right to withdraw consent must be just as easy as the right to give it.

Data Retention

While the obligation not to keep personal data longer than necessary existed under Directive 95/46/EC, the GDPR requires Controllers to specify the exact period for which personal data will be stored, or the criteria used to determine that period.

Exception: Data stored in the public interest for archiving, statistics, or scientific and historical research may be kept indefinitely.

More Control for Individuals

Although the previous Directive provided certain rights (information, access, rectification, restriction of processing, objection, and protection against automated decision-making), the primary goal of the GDPR is to give citizens more control over their personal data.

The GDPR introduced the following additional rights:

• The Right to Erasure (also known as the Right to be Forgotten);
• The Right to Data Portability.

These rights are not absolute and requests must generally be answered within one month.

Conclusion

There is no "one-size-fits-all" approach to the GDPR. However, it is indisputable that companies must take comprehensive and appropriate measures to maintain data protection and minimise the risk of breaches.

As Andrus Ansip stated: "Europe’s digital future can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information."