GDPR What is it?
The EU General Data Protection Regulation (GDPR) is new legislation that provides a single, harmonised data privacy law for the European Union. The GDPR will replace the current Directive and will be directly applicable from 25 May 2018 in all Member States. The GDPR will affect every organisation that processes EU residents’ personally identifiable information (PII).
The EU General Data Protection Regulation (GDPR) also imposes obligations on companies to not only document and safeguard information on identifiable living persons but companies must also be able to evidence compliance
With the increasing risk of data breaches and cyber-attacks, the GDPR aims to prevent the loss of personal data by improving data security for all individuals living in EU member states.
All organisations must comply with the new law, or potentially face fines of up to 4% of annual turnover or €20 million (whichever is greater), from the 25th. May 2018.
The key changes introduced by the Regulation;
The GDPR introduces a number of key changes for organisations.
- The definition of personal data is broader, bringing more data into the regulated perimeter.
- The scope is broader - If your business is not in the EU, but you process the data of people who reside within the EU or EU Citizens you will still have to comply with the Regulation.
- Requiring the implementation of Privacy by Design.
- The introduction of mandatory Data Protection Impact Assessments.
- Changes to the rules for obtaining valid consent including how consent will be necessary to process children’s data.
- The appointment of a data protection officer (DPO) will be mandatory for certain companies and other bodies.
New data breach notification requirements:
Increased Data Subjects rights. EU resident and other EU data subjects will have the following rights.
- To Access their data.
- To Obtain a copy of their data.
- To rectify their data.
- To restrict processing on some or all of their data.
- To remove consent on some or all of their data.
- To evoke the right to be forgotten.
- To data portability.
- Increased restrictions on international transfer of data.
- Increased data processor responsibilities.
- Companies are required to be able to demonstrate compliance.
Becoming compliant and evidencing compliance is the big challenge facing SME’s and all companies.
The Data Protection Group has been formed by industry specialists and legal and compliance experts to assist companies in meeting this obligation in a straightforward and cost-effective manner.