The new European Union’s data protection regulation is very complicated, but here are 10 key facts that we think will help you understand this new regulation!
GDPR Applies to Everyone
GDPR will apply to all companies worldwide that have access to personal data of EU citizens, this is the first global data protection law. It will contribute significantly to all companies around the world as they need to take data privacy more seriously.
GDPR will Widen the Definition of Personal Data
Even though the definition of personal data has always been fairly wide and GDPR will broaden this as it will bring new kinds of personal data. The GDPR will consider any data that can be used to identify an individual as personal data, it will include things such as genetic mental, cultural, economic or social information. GDPR will make it difficult for organisation to avoid having to comply with its requirements.
GDPR Tightens the Rules for Obtaining Valid Consent to Using Personal Information
Having the ability to prove valid consent for using personal information is going to be one of the biggest challenges that is present by GDPR. Organisations will have to use simple language when asking for consent to collect personal data and how they will use this information. GDPR will require all organisations collecting data will need to be able to prove clear and affirmative consent to process that data.
GDPR Makes the Appointment of a DPO Mandatory for Certain Organisations
GDPR will require public authorities processing personal information to appoint a data protection officer (DPO) This is only for organisations that have over 10 employees.
GDPR Introduces Mandatory PIAs
The inclusion of mandatory privacy impact assessments in GDPR is due to the influence of UK’s Information Commissioner’s Office who have worked with a lot of PIAs in the past. Data controllers will need to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.
GDPR Introduces a Common Data Breach Notification Requirement
GDPR will harmonise the various data breach notification laws in Europe and it is aimed at ensuring organisations are constantly monitoring for breaches of personal data. GDPR will require that organisations will have to notify the local data protection authority of a data breach within the 72 hours of when it’s found. This may require some training as well as making changes to internal data security.
GDPR Introduces the Right to be Forgotten.
This regulation will require organisations not to hold fata for longer than necessary and not to change the use of the data from the purpose of which is was originally collected. They must also delete any data when requested by the client. Organisations will also have to ensure they have the processes and technologies in place to delete in response to request from clients.
GDPR Expands Liability Beyond Data Controllers
Data controllers were only considered responsible for data processing activities but GDPR extends the liability to all organisations that touch personal data.
GDPR Requires Privacy by Design
GDPR requires that privacy is included in all systems and processes by design. All software, systems and processes must consider compliance with the principles of data protection.
GDPR Introduces the Concept of a One-Stop Shop
GDPR will allow any European data protection authority to take action against organisation, no matter where in the world the company is based. Organisations will only have one supervisory authority rather than a different on for each EU state. It makes it cheaper and easier for organisations, but citizens still have the right to approach any data protection authority of their choice to lodge complaints to.