WHAT TO EXPECT
GDPR will apply to businesses within the EU and also to organisation outside of the EU who process the data of EU residents.
Data Protection Officer
A DPO should be appointed if you are a public authority or body, carry out large scale systematic monitoring of individuals or perform large scale processing of special categories of data.
Single Set of Rules
Each member state will establish a Supervisory Authority, which will be responsible for their country but will also work with other SA’s.
GDPR require the data protection officer to notify the SA “without undue delay” and within 72 hours of any breach of data security.
Privacy by Design
Privacy must be built in to all new projects and initiatives including the requirement for privacy impact assessments (PIAs) to be conducted where specific risks exist to the rights of individuals.
A four-tier fine system will be put in place for breaches with the highest tier resulting in fines of up to £15.8 million or four percent of global annual turnover (whichever is greater).
Valid and explicit consent must be given for all data collected and the purpose for its use must be fully explained. Opt-in options must be present for all data collection and consent must be retractable at any time.
Right to Erasure
Also called the ‘right to be forgotten’, this control gives the data subject the right to require a business to permanently delete all information held about them on any one of number of grounds.
Responsibility and Accountability
The current annual notice requirements remain and are expected. They must also include the retention time for personal data and contact information for the data controller and data protection officer.
A data subject shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.