Across Europe, significant changes in data legislation came into effect last week, as the new General Data Protection Regulation (GDPR.) This new legislation is intended to make data protection laws consistent across the EU. It has implemented a more contemporary legislation with existing laws that were protecting data usage on social media and the volumes of data that is available to organisations.
There are 10 primary changes as part of the GDPR and one of them is the requirement for organisations to make data available for data subjects whenever they want it and to keep a more detailed data processing activity. You will also have to let a relevant authority know when your data gets breached. Your data controller will have to do this within 72 hours, if you don’t comply with then this you will get fined.
GDPR applies to any organisation which engages with data processing or control activities within the EU, even if the organisation is based outside of the EU.
There is now a “One-Stop Shop” where multinational companies are mainly regulated by the supervisory authority of their primary establishment. Other concerned authorities can also get involved in handling complaints against the company.
Increased Processor Obligations
There are now statutory obligations on data processors and subjection to direct enforcement by supervisory authorities. Processors will now be liable for data protection breaches if they act outside of the instructions that are set by controllers.
Improved Record Keeping
You will be required to keep detailed records of all processing activities and present these records upon request from the relevant supervisory authority.
Transparent Presentation of Data
You will need data processors to present a greater deal of personal information to data subjects and they must present it in a manner that is fully accessible and understandable.
Decreased Reliance on Consent
Consent from data subjects must be explicit which makes consent less reliable as a legal basis for data collection. Data subjects are now able to withdraw consent at any time and it must be easy for them to do this.
Enhanced Individual Rights
Data subjects will now have enhanced rights, like greater control over the processing of their personal data and a right to data portability.
Data controllers will now have to notify the relevant supervisory authority of a data breach within 72 hours, unless the breach is unlikely to threaten the rights of data subjects. Processors are only obligated to report breaches to data controllers.
International Data Transfers
GDPR has now removed the need for international data transfers to be pre-approved. It has also removed self-assessment as a basis for transfers and a move which is intended to improve uniformity across all members.
Imposition of Strict Fines
GDPR will now enable supervisory authorities the power to impose severe fines for non-compliance.