GDPR provides increased privacy for individuals and gives increased powers to regulatory authorities to take action against data controllers and data processors who don’t comply with it.
Deadline for compliance
25th May 2018
- Fines of up to 4% of annual worldwide turnover or €20 million – whichever is greater
- GDPR applies to all organisations worldwide who: (1) provide goods and services to individuals within the EU (including free of charge); or (2) monitor those individuals behaviour;
- Data processors now have direct regulatory obligations; and
- Definition of “personal data” extended to include identifiers such as: (1) genetic; (2) mental; (3) cultural; (4) economic; and (5) social identity.
Increased rights for individuals
- Right to be forgotten and erased from records;
- Right to request a copy of personal data in a commonly used portable electronic format;
- Consent means a clear statement or affirmative action which is freely given, specific, informed and unambiguous;
- Parental/guardian consent required to process children’s data; and
- Reduced time frame for controllers to respond to subject access requests and no ability to charge for such requests.
Changes for data controllers
- Accountability – need to demonstrate compliance;
- Mandatory appointment of data protection officers for certain data controllers;
- Mandatory privacy impact assessments in certain situations;
- Privacy by design is required;
- Data breaches must be reported within 72 hours of becoming aware of the breach (unless low risk to individuals rights); and
- No need to register with data protection authority.
- Increased co-operation and consistency between EU regulators;
- A ‘one stop shop’ for data controllers across the EU.
Please click here to download the GDPR Factsheet.