This new regulation, the General Data Protection Regulation (GDPR), which came into force on 25th May 2018, acts to strengthen the core values of the 1995 Data Protection Directive with additional principles and rights. The two overarching principles of the GDPR are transparency and accountability in what organisations do with personal data. To achieve this end, an array of new obligations has been introduced for organisations to adhere to these, new factors include;
- Significant changes to data protection rules;
- potentially large administrative fines;
- possible sanctions for data breaches;
- legal action by data subjects for material and non-material damages
The scope of data protection under GDPR applies to all organisations that collect, store and process personal data in or to the EU’s citizens.
Some of the Key changes:
The penalty for non-compliance with the necessary Data Protection requirements can result in some hefty fines. The most serious infringements can attract fines of 4% of the organisation’s annual turnover or €20 million. The severity of such fines has been introduced to encourage compliance with transparency and accountability, acting as a strong deterrent for possible data law breaches.
Data Protection Impact Assessments (DPIA) is now a mandatory requirement prior to processing personal data that is likely to result in high risk to the rights and freedoms of the individual. This type of assessment gages the likelihood and scale of risks involved in the proposed data processing. Specific protocols must then be introduced to mitigate these risks. In instances where it is not likely to result in high risks, a DPIA may not be necessary.
Data protection privacy by design
This requires organisations to enforce data protection measures in the first instance of designing a new product, system or business as opposed to doing it afterwards.
With the GDPR legislation, subject rights in relation to data protection has been strengthened. Such rights include; right to be informed, access to such data, rectification, erasure, restrict processing, data portability, object to automated decisions, plus more rights to sue offending parties for any breaches.
Any significant data breaches that may occur must be reported to supervisory authority within 72 hours from the moment of awareness of any breach. Any subject access requests must be dealt with within 30 days.
If you are relying on consent to process personal data, there is a strengthened requirement for using clear unambiguous consent. Special Category data (formerly sensitive data) processing is prohibited, unless explicit consent is given for that specific purpose only.
The role of Controllers and Processors under GDPR
While data controllers are still principally responsible for the personal data in their possession, data processors can now also be held legally responsible under GDPR. GDPR has also introduced the concept of Joint Controllers.
As you can see from all the above, GDPR is a game changer for all organisations and it’s here to stay.
We would strongly advise that your organisation embrace GDPR and use it as an opportunity to strengthen your connection with your customers, by demonstrating your commitment to safeguarding their personal data.
If you require any further advice in relation to any Data Protection matters, don’t hesitate to contact us today.