The General Data Protection Regulation (GDPR)
The GDPR is a directly applicable regulation with 173 recitals and 99 articles in eleven chapters. Unlike the Directive it binds directly, applies extraterritorially by the (offering goods/services or monitoring behaviour), strengthens consent, adds new rights, an accountability regime, 72-hour breach notice, and top-tier fines of €20 million or 4%.
The GDPR keeps familiar concepts from the Directive but its effect is far greater. It is directly applicable across all member states without national intervention, and crucially extends many obligations to processors. For non-EU firms, scope turns on the location of the data subject: offering goods or services to people in the EU (paid or not) or monitoring their behaviour. Recital 24 confirms online tracking to analyse or predict preferences triggers the GDPR.
| Feature | Directive 95/46 | GDPR |
|---|---|---|
| Legal form | Directive (needs national transposition) | Regulation (directly applicable) |
| Structure | 72 recitals, 34 articles | 173 recitals, 99 articles |
| Applies to | Controllers only | Controllers and processors |
| Extraterritorial test | Use of EU processing equipment | Location of data subject (offering / monitoring) |
| Consent | Required, lower bar | High standard; explicit, unbundled, withdrawable |
| Breach notice | Not mandated | 72 hours to the DPA |
| Security duty on | Controllers | Controllers and processors |
| Max fine | Set by member states | €20 million or 4% of worldwide turnover |
- Stronger consent: unbundled, withdrawable any time, no ‘take-it-or-leave-it', parental consent for children (age set by member states)
- New/stronger rights: data portability, restriction, right to be forgotten, profiling protections; subject access fee removed unless ‘manifestly excessive'
- Accountability regime: policies, data protection by design and by default, records, DPIAs, prior consultation, mandatory DPOs for public sector / big data processing
- Processors' new obligations: no sub-processing without controller consent, prescriptive contract terms, records, security, DPO in some cases
- Transfers via adequacy, binding corporate rules, standard contractual clauses, approved codes, certification or DPA-authorised clauses
- 72-hour breach notification to the DPA unless ‘unlikely to result in a risk'; high-risk breaches also notified to individuals
- Top-tier fines of €20 million or 4% of total worldwide annual turnover, whichever is higher
The 72-hour window applies to notifying the DPA, not individuals - and only ‘where feasible'/unless the breach is unlikely to risk rights. Individuals are notified separately when the risk is high. Do not say individuals must be told within 72 hours.