Is your business ready for the
GDPR? The clock is ticking!
in relation to data processing undertaken by the controller or
processor.
GDPR will require increased compliance, training and the use of
Privacy Impact Assessments (PIA’s)
Data Subjects will have enhanced rights, such as the ‘Right of
Erasure’, ‘Right to be Forgotten’, ‘Right to Portability’, and the
‘Right to Control Profiling’.
If a customer asked you for their personal data
to be erased from your system, would you be
able to act - and, I don’t mean just ‘flagged’ as
a ‘do not contact’ on your database!!
What is the GDPR?
It’s the General Data Protection Regulation; a new EU Regulation
intending to combine and strengthen Data Protection within the EU
& UK. (BREXIT doesn’t affect it).
This regulation was made on the 27th of April 2016 and is due
to come into force on the 25th of May 2018, hopefully, giving
businesses time to adapt to the changes. GDPR will replace the
outdated Data Protection Act which has many gaps in it because
of the rapid advancement of technology since 1995, when the Act
was made.
The GDPR will cover all countries that process or hold the personal
data of EU citizens, whether that country is a part of the EU or not.
This means that Britain will still have to abide by the laws of the
GDPR despite the result of the EU referendum at the end of June.
Most important changes
GDPR will make it easier for Data Controllers to rely on ‘legitimate
business interests’ as a lawful ground to process personal data
where there is a relevant and appropriate connection between the
data controller and the data subject.
Consent must be clean and distinguishable from other matters and
provided in an intelligible and easily accessible form, using clear
and plain language. It must be as easy to withdraw consent as it is
to give it.
Parents will be required to provide consent for the personal data
of children under the age of 16 for online services; member states
may legislate for a lower age of, but this will not be below the age
of 13.
There will be increased requirements as to what information must
be provided to individuals before processing their data (via a
privacy policy or ‘fair processing notice’).
Multinationals will benefit from a one stop shop, where the Data
Protection Authority (DPA) in the member state where the controller
or processor has their main establishment will be the lead authority
104
Data processing agreements between Data Controllers and
Data Processors will be required to contain extensive mandatory
data protection clauses; such as the controllers right to audit its
processors, and obligations on processors to assist with subject
access request and personal data breaches.
Organisations will be required to maintain a record of ALL their data
processing activities which must be made available for inspection.
Codes of Conduct and Certifications will be developed to assist
data controllers and processors to demonstrate their compliance
with the GDPR and to legitimise international data transfers.
Organisations whose core activities consist of processing
operations which require regular and systematic monitoring of
individuals on a large scale or of special categories/criminal related
data, will be required to appoint a Data Processing Officer.
Data Breaches which may pose a risk to individuals must be
notified to the DPA within 72 hours and affected individuals without
undue delay.
Fines of up to 4% of annual worldwide turnover or the preceding
an