The General Data Protection Regulation (“GDPR”) seeks to harmonise data protection laws across Europe and is effective from today, 25 May 2018.
Data protection law is nothing new, so what’s the big deal with the GDPR? We summarise some of the main changes below.
The concept of being transparent with individuals about how their data is used is central to the GDPR.
Data controllers are required to inform individuals at the time their information is collected of the legal basis of the processing and the period for which it will be stored. There are additional transparency obligations whenever an organisation is seeking the consent of an individual. These changes are likely to require most businesses to review and re-write their privacy policies and fair processing notices.
Data controllers are now required to notify regulators of personal data breaches within 72 hours and, where the breach is likely to result in a high risk to individuals, to notify individual data subjects without undue delay.
Enhanced rights for individuals
The GDPR includes a number of rights for individual data subjects. In addition to rights to access their data and to object to processing, which are retained from the previous law, individuals have the right to receive their data in a commonly used and machine-readable format and the right to have their data erased or “to be forgotten”. Individuals also have the right to compensation for immaterial as well as material damage suffered as a result of a breach.
Holding organisations to account
Another key theme of the GDPR is the principle of accountability. There are new requirements on data controllers (and processors) to demonstrate their compliance by fully documenting their data processing activities.
The Information Commissioner’s Office now has additional powers to levy administrative fines. These may be the greater of €20 million or 4% of worldwide turnover, which is a significant increase on the previous £500,000 maximum.
Although the GDPR is now effective it is not too late to achieve compliance. We can assist with the review of Terms of Business and Data Protection Policies as well as with the preparation of Privacy Notices. Get in touch today to make sure your business is not one of those to face a hefty fine.