8 Things You Need to Know About the GDPR
The EU has changed its data protection rules. The General Data Protection Regulation (GDPR) represents the biggest change to data protection laws for 20 years.
Continue reading to discover 8 things you need to know about the GDPR.
1. The GDPR won’t just affect the EU
The GDPR will apply in all EU member states from 25 May 2018. As it will come into force before the UK has left the EU, the UK must also comply. Outside of the EU, the GDPR will still have a significant impact, affecting all organisations that handle the personal data of EU individuals. Therefore, even after Brexit, if your organisation processes and holds the personal data of EU residents, you need to ensure it’s being held in accordance with the GDPR.
2. The GDPR will widen the definition of personal data
Anything that counted as personal data under the Data Protection Act also counts under the GDPR. However, the GDPR broadens the definition of personal data even further by bringing new kinds of data under regulation such as genetic, mental, cultural, economic and social information as well as online identifiers such as IP addresses.
3. The GDPR will tighten the rules for obtaining consent
Arguably, the biggest challenge of the GDPR is the issue of consent. Organisations must prove they have consent to use and collect personal data. This consent must be “freely given, specific, informed and unambiguous”. Business will not be able to reply on silence or opt-outs but rather an active process such as box-ticking should be put in place. Individuals will also have the right to withdraw their consent at any time.
4. The GDPR gives people the ‘Right to be Forgotten’
Under the GDPR individuals can request the complete deletion of their personal data. Organisations cannot hold data for longer than necessary and cannot use data for any other reason, other than the reason for which is was originally collected. This means organisations must ensure they can delete data upon request.
5. The GDPR introduces a breach notification requirement
The GDPR is designed to ensure organisations constantly monitor for data security breaches. Any breach, alteration or unauthorised access to personal data must be reported within 72 hours. Organisations must have the technology and processes in place to enable them to detect and respond to a data breach.
6. The penalties are substantial
If organisations fail to comply with the GDPR there are hefty penalties. Fines can reach up to 4% of annual worldwide turnover or €20 million, whichever is greater. The GDPR also introduces the right for data subjects to claim compensation for damages. This means not only can organisations be subject to large fines, they can also be sued for compensation.
7. Some organisations will be required to appoint a Data Protection Officer
The GDPR requires public bodies or organisation that process a large amount of personal information to appoint a data protection officer (DPO). A study by the International Association of Privacy Professionals revealed this will lead to the appointment of 28, 000 DPOs across Europe in the next two years.
8. Expertise is essential
All in all, the GDPR amounts to a sea change in data protection legislation. We understand that many organisations don’t know where to begin. Our GDPR consultancy service can help you achieve GDPR compliancy. To learn more about P2V Systems GDPR consultancy, click here.