08 Jun Confused about GDPR?
The recent introduction of GDPR has brought about big changes in data protection and privacy, forcing companies to change the way they do business. We have put together a list of 10 top tips to help you understand the new regulation:
- A single set of rules: WE WISH! The GDPR has set out to create a common set of rules across the EU. With more than 30 exemptions, that allow member states to judge how they implement the rules, things will still not be fully synced.
- Higher fines: To ensure business comply potential fines have significantly increased. Non-compliance could mean a fine of up to 20m euros or 4% of worldwide turnover (whichever is higher).
- No boundaries: Regardless of where you are located, if you are processing EU residents’ personal data then the rules apply to you. So if you are analysing, holding or monitoring activities of EU residents, your business now falls under the law.
- Definition of personal data: The definition of personal data has expanded. What constitutes ‘personal data’ is now much broader and specifically covers ‘online identifiers’. Anything that contributes to identifying an individual, or links to identifying information, is covered, including cookies and advertising IDs.
- Greater liability: As a data processor you now have a massive responsibility. Data subjects/individuals will be able to take direct action, not just against a data controller, but also a data processor.
- Notification of data breaches: Data protection authorities now need to be notified within 72 hours of any serious data breaches and an organisation has to ensure that they also let individuals know where the breach may cause harm.
- Greater business accountability: You still need to register with the Information Commissioner’s Office if you are processing personal data. However, a risk-based approach focused on privacy impact assessments, maintaining good internal records and systems, and entrenching privacy by design and default is also critical.
- Stronger individual rights: As well as strengthening existing rights, new individual rights have been included which businesses are obliged to promote. Data subjects now have a right to be forgotten and to data portability, meaning you could be required to provide data to an individual that they can take to a competitor. Other adaptations mean there is a much greater focus on the clarity of information notices and it should be easier for people to object to different types of processing, including profiling and marketing.
- Cross-border transfers: Standards have been raised for cross-border transfers. Previous mechanisms such as Binding Corporate Rules and model contract clauses are still acceptable. US-based companies can use the EU-US Privacy Shield which has been assessed as adequate.
- Data Protection Officer (DPO): If you’re involved in regular and systematic monitoring, or processing of sensitive data, on a large scale you will need to appoint a DPO.