The EU GDPR replaces the Data Protection Directive 95/46/EC and is designed to:
It will take effect in May 2018.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
GDPR has extended jurisdiction as it applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be given in clear and plain language and it must be as easy to withdraw consent as it is to give it.
Under the GDPR, breach notification will become mandatory in all member states and this must be done within 72 hours of first having become aware of the breach.
Data subjects can obtain confirmation from the data controller whether personal data concerning them is being processed, where and for what purpose. The controller should provide a copy of the personal data in an electronic format free of charge.
Also known as Data Erasure, the data subject can request that their personal data is deleted if it is no longer relevant to the original purpose of why it was collected.
Calls for the inclusion of data protection from the onset of designing systems. Organisations that process personal data have a legal requirement to protect it by providing adequate safeguards to mitigate against a security breach. Whilst no one can guarantee complete information security, organisations need to reduce their risk of a possible data breach by ensuring they have sufficient plans in place to ensure business continuity.
Article 23 calls for controllers to hold only data that is absolutely necessary for completion of their duties and access to customer data should only be granted to those processing the data within the organisation.
The data protection officer (DPO) is a nominated person responsible for record keeping within the organisation. This role is only mandatory for public authorities or those whose core activities require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
Determining how GDPR compliant your organisation is requires you to look at your current processes and procedures and ensure you have adequate cyber security protection and detection in place.
Genesis work alongside an excellent portfolio of security vendors and can provide solutions that cover six security pillars relevant to GDPR compliance:
If you are confused about how GDPR may affect your business or would like help preparing for GDPR then get in touch.