What is the GDPR? Does it apply to me?
The GDPR introduces stricter data protection requirements regarding the processing of EU citizens’ data. These requirements introduce new obligations on businesses who are recognised as either data controllers or data processors. Although the Regulation doesn’t come into force until 25th May 2018, it is important to start acting now.
Data Controllers – Any entity which collects, stores and determines the use of any personal data.
Data Processors – Any third party who process personal data on behalf of controllers
What counts as “Personal Data”?
The GDPR extends the definition of “Personal Data” beyond the scope of the Data Protection Act 1998. It now includes cultural and economic data, as well as IP addresses. Sensitive data is also caught under the new Regulation under the term of “Special Categories of Personal Data”, which includes genetic and biometric data.
Key Requirements I
1. Consent and Transparency:
2. Individuals’ Rights:
The GDPR refreshes individuals’ rights regarding the use and storage
of their personal data:
• Right to be Informed of how their personal data is processed
• Right of Access and Rectification
• Right of Erasure
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Rights Related to Automated Decision Making and Profiling
Key requirements II
3. Data Protection Officer [DPO]: A member of staff appointed to ensure the GDPR is consistently adhered to.
4. Accountability: A Data Protection Impact Assessment [DPIA] may need to be carried out for example when using new technologies or processing data with high risk to rights of the individuals involved.
5. Transfer of Data: EU citizens’ data should not be transferred outside of the EU unless the transfer is to a state with safeguards recognised to be of the same standard as those insisted on by the Regulation.
6. Breach Notification : Any breach of the GDPR must be reported to the relevant authority within 72 hours of the company acquiring the knowledge.
• Fines up to 20 million Euros or 4% of the annual worldwide turnover
• For more minor infringements, fines may be reduced to up to 10 million Euros or 2% of the annual worldwide turnover
• A reprimand may be issued in lieu of a fine where appropriate
To book a space on our exclusive GDPR focus group at the Hybrid Legal offices – click here to register.