GDPR has brought about big changes for data protection and privacy. Here are Fair Data's top 10 things to remember about the regulation:
- A single set of rules - Not quite. The GDPR has set out to create a common set of rules across the EU. With more than 30 exemptions, that allow member states discretion as to how they implement the rules, things will still not be fully harmonised.
- Higher fines - Potential fines have significantly increased. Non-compliance could mean a fine of up to EUR20m or 4% of worldwide turnover (whichever is higher).
- No boundaries - Regardless of where you are located, if you are processing EU residents' personal data then the rules apply to you. So if you are analysing, storing or monitoring activities of EU residents, your business now falls under the regulation.
- Definition of personal data - The definition of personal data has expanded. What constitutes 'personal data' is now much broader and specifically covers 'online identifiers'. Anything that contributes to identifying an individual, or links to identifying information, is covered, including cookies and advertising IDs.
- Greater liability - As a data processor you now have significant responsibility. Data subjects/individuals will be able to take direct action, not just against a data controller, but also a data processor.
- Notification of data breaches - Data protection authorities now need to be notified within 72 hours of any serious data breaches and an organisation has to ensure that they also let individuals know where the breach may cause harm.
- Greater business accountability - You still need to register with the Information Commissioner's Office if you are processing personal data. However, a risk-based approach focused on privacy impact assessments, maintaining good internal records and systems, and entrenching privacy by design and default is also critical.
- Stronger individual rights - As well as strengthening existing rights, new individual rights have been included which businesses are obliged to promote. Data subjects now have a right to be forgotten and to data portability, meaning you could be required to provide data to an individual that they can take to a competitor. Other adaptations mean there is a much greater focus on the clarity of information notices and it should be easier for people to object to different types of processing, including profiling and marketing.
- Cross-border transfers - Standards have been raised for cross-border transfers. Previous mechanisms such as Binding Corporate Rules and model contract clauses are still acceptable. US based companies can use the EU-US Privacy Shield which has been assessed as adequate.
- Data Protection Officer (DPO) - If your involved in regular and systematic monitoring, or processing of sensitive data, on a large scale you will need to appoint a DPO.
The MRS Fair Data Accreditation is the only mark that allows companies to show best practice in data protection. It will take you most of the way towards GDPR compliance. Find out more.