The General Data Protection Regulation (GDPR) will come into effect on 25th May 2018. This new regulation, imposed by the European Union, aims to enforce new rules relating to data privacy. European individuals will benefit from stricter guidelines on how their data is collected and managed by organisations. As a result, any organisation wishing to deal with European users must comply with the GDPR.
The new regulations have caused a global shake-up in regards to data handling. Organisations across the world have had to re-evaluate how they collect and manage user data to comply with the new law. Below, we’ve summarised what you “need to know” to help make sure you’re compliant with the new regulation.
Scope
- The GDPR applies to all businesses who will process personal data of an EU resident, meaning it will be enforceable regardless of the location of the organisation
- Organisations that process data on behalf of others are accountable. Companies that outsource data (data controllers) will be liable if they haven’t carried out proper due diligence when employing third-parties (data processors) to manage data
Data Processing
- Organisations must enforce tougher measures regarding the storage, sharing and accessibility of data
- Operational policies and procedures must be updated to reflect the new guidance provided the GDPR
- Organisations must be transparent about how they record, analyse and report on data
Compliance
Failure to comply with the GDPR will result in a fine of €20m (or 4% of annual global turnover depending on which is the larger sum).
Data Protection Officer (DPO)
A DPO is a new role highlighted in the guidelines as the individual responsible for ensuring their organisation meets their obligations under the GDPR. A DPO is required if the organisation is in the public sector, processes large amounts of personal data or monitors individuals
Data Breaches
Organisations must report a data breach to the relevant authority within 72 hours. If the data is considered to be “sensitive” or “high risk”, the organisation must notify the affected individual immediately. Third-parties must also inform the primary data controller of a breach immediately.
Accountability & Consent
- Organisations must only use data for the purpose it was collected
- Organisations should put in place procedures that manage data according to the specific consent given by the data subject
- Data privacy notices should be explicit whenever personal data is collected
- Organisations should store and maintain evidence of consent provided by the data-subject
Privacy Impact Assessments
A Privacy Impact Assessment should be carried out by organisations who are collecting “high risk” or large amounts of personal data.
User Rights
Data subjects have the right to request access to their data and make changes. Organisations should respond and allow users to correct and update records, move and remove their data (right to be forgotten).
Privacy by Design & Default
Organisations should consider personal data privacy in the development of all business processes. As standard, all users should be given the strictest privacy settings unless explicit consent has been given by the data subject.
While this overview of GDPR is by no means comprehensive, we hope that it will provide your organisation with an introduction to your obligations under the GDPR. For further assistance with data privacy and the GDPR, please contact our team.