Lawfulness of processing: This is explicit in the regulation as the directive relied on local laws to determine the laws. That said, there is freedom for the member states to augment what is meant by lawful processing.
Consent: Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Children’s consent: The regulation makes provision for consent being required from a parent or legal guardian. The age set is 16 years but provision is made for member states to lower it to 13 (Chapter II, Article 8).
Applicability of Data Processors: GDPR places specific legal obligations on data processors; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. This does not relieve the data controller of responsibility. Indeed, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Extended reach: The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. As described above, the idea of a Representative in a member state is introduced.
Exceptions: Not surprisingly, GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive or processing for national security purposes. It also does not apply to processing carried out by individuals purely for personal/household activities or businesses in respect of HR functions.
Manual filing: The GDPR applies also to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Data protection by design and by default: Whereas the directive did refer to anonymization the GDPR specifically refers to in article 25 as an option for protecting personal data. It goes on to require that data protection should be designed into the systems and that the data shall be protected by default. It even introduces the idea of certification (Article 42) to prove that this requirement has been implemented (see below).
Data Protection Officers: The GDPR introduces the role of a Data Protection Officer which is mandatory where data is held by public authorities or where the core activities require regular monitoring data subjects on a large scale. It conveniently does not define what constitutes a “large scale”. There is a whole section on the DPO (Chapter 4, section 4, Articles 37-39).
Right to be forgotten: In addition to the existing requirements on deletion of personal data, the GDPR introduces the righ to be forgotten (Chapter III, Section 3, Article 17). The regulation goes on to deal with the situation where the data has been made public. Of course there are exceptions including "for exercising the right of freedom of expression and information".
Data protection Impact Assessment: Where the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the the GDPR mandates a Data Impact Assessment. This is quite a significant document and should include the risks to the rights and freedoms of data subjects.
Transparency of data collection: There is a requirement for clear communication to the data subjects that their data is being collected and processed; it even designates that where a child is involved that it must be understandable to that child. It must indicate the purpose for which the data is collected and processed and identify the controller (or representative in the EU) and the data protection officer (where there is one; see above). What makes this really onerous is that this must be done where personal data have not been obtained from the data subject.
Notification of data breaches: Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness. A reasoned justification must be provided if this timeframe is not met. In some cases, the data controller must also notify the affected data subjects without undue delay. That said, there are provisions for NOT communicating to the data subject in certain circumstances (Article 34).
Fines: The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.