What is GDPR?
The acronym GDPR stands for ‘General Data Protection Regulation’ and is the most important change that has happened in 20 years to data privacy.
It has been in progress for four years now and has finally been approved by the EU Parliament as of 14th April 2016. It is to replace the Data Protection Directive and is planned to harmonise the data privacy laws across Europe. This was a time when there was a lot of questions and panic about exactly who this is going to affect and what exactly needs to be done to be compliant.
This regulation will be in force on 25th May 2018 and at this time the organisations that are not compliant will be heavily fined. Therefore, Iocea need to stress the importance of preparing early and getting these new changes into practice before this date.
What is Classed as Personal Data?
Key Changes Under GDPR
Increased Territorial Scope (extra-territorial applicability)
This is one of the biggest changes that GDPR is bringing as this means that it will apply to all companies that process the personal data of subjects that reside in the Union. Now, this is regardless of the company’s location and protects the user further than the previous DPD as this was very ambiguous and referred to the data process ‘in context of an establishment’.
GDPR has made its applicability very clear and will firmly apply to the processing of personal data by controllers and processors in the EU, regardless of whether it is taking place in the EU or not.
Non-EU businesses’ that are processing the data of EU citizens will also have to appoint a Representative within the EU.
The conditions of consent have been strengthened so that companies will no longer be able to use long-winded terms and conditions to deceitfully capture a visitor’s data. Instead the consent must be given by the visitor through an easily understandable and accessible form. It must be clear and distinguishable, using clear and plain language. The withdrawing of consent must also be as easy and simple as it is to give it.
If you are found to be non-compliant of GDPR you will face a heavy fine of up to 4% of your annual global turnover or €20 Million (whichever is greater). This is the maximum fine for the most serious of infringements (e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design Concepts). There is a tier system to fines and it is dealt with in terms of the severity of your breach. This applies to both controllers and processors of data.
Breach notification will become mandatory in all member states where a breach is likely to ‘result in a risk for the rights and freedoms of individuals’. This must be done within 72 hours of becoming aware of the breach. The processors will also have to notify their customers straight away, without delay.
Right to Be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Right to Access
This involves the right for data subjects to obtain from the data controller confirmation as to if personal data concerning them is being processed, where and for what purpose. If this information is requested the controller shall provide a copy of the personal data, free of charge in an electronic format.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
Privacy by Design
This concept has existed for years now but is only just becoming a part of a legal requirement in the GDPR. This calls for the inclusion of data protection from the onset of the designing of systems, rather than the addition. This calls for controllers to hold and process only the data necessary for the completion of its duties, as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Officers
Currently, controllers are required to notify their data processing activities with local DPA’S. However under GDPR, it will not be necessary to submit notifications and instead there will be internal record keeping requirements.
Don’t hesistate to contact us to arrange an appointment to discuss your needs to be GDPR ready.
Take a look at our simple guide for data obligations for companies below:
We also highly recommend you read up on this guide provided by the ICO, giving an overview of GDPR: