The EU General Data Protection Regulation (GDPR) is the most important
change in data privacy regulation in 20 years - make sure you're prepared.
The General Data Protection Regulation (GDPR) is a European Union “Regulation” established to protect the personal data of anyone in the EU. The regulation was published on 24th of May 2016. As it is a "Regulation" it does not need to be ratified by the member states' national parliaments. It became law in all member states on the date of its publication. From May 2016 a 2 year transition period was defined to give organisations time to ensure compliance. The 2 year period expires on 24th of May 2018. As of May, 25th 2018 the GDPR will be enforced and organisations must comply. The GDPR was developped, building on the European "1995 Data Protection Directive" (Directive 95/46/EC), to harmonize data protection within the EU. The GDPR is focussed on the protection of the individual. The GDPR is applicable to all companies located within the EU and all companies offering goods or services to people residing in the EU. That means that all people residing in EU can rely on the protection of the GDPR, regardless of their nationality or the location of their supplier of goods or services. The major changes versus
the former Directive 95/46/EC are the following:
- Increased Territorial Scope (extra-territorial applicability)
as mentioned above the jurisdiction of the GDPR has been extended to all EU residing inividuals
- Penalties
Maximum fines have been defined. Penalties are applicable to controllers ans processors
- Consent
Conditions under which consent is considered applicable have been strengthened.
- Data Subject Rights
- Breach Notification:
it is now mandatory (within 72 hours) if there is risk for the rights and freedoms of individuals .
- Right to Access:
Data subjects have now the right to obtain from the controller the confirmation as to whether or not their personal data is being processed, where and for what purpose. A copy will be provided free of charge.
- Right to be Forgotten or "Data Erasure":
subjects may request to erase their personal data and cease further dissemenation and processing.
- Data Portability:
a data subject can request to recieve a copy of their personal data in a common format and have the right to transfer their data to another controller
- Breach Notification:
- Privacy by Design:
Data protection must not be implemented as an add-on but as a core part of the data processing systems.
- Data Protection Officers:
DPO appointment is mandatory if the core activities consist of processing operations with regular and systematic monitoring of data subjects on a large scale or if special sensitive categories of data are processed.
- A DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.