For over four years the EU have been debating a new compliance for data protection. They have finally come to an agreement and if you are not compliant you will face a hefty fine!
Cyber security is crucial because hackers are building more sophisticated viruses and personal data is being leaked worldwide. Some companies have been unaware of the dangers which has forced the EU into action.
What does GDPR stand for?
It stands for General Data Protection Regulation and it’s the most important change to data privacy in 20 years. It’s understatement to say “it’s a long time coming”.
There are a number of key changes that GDPR has on the previous directive and they are listed below:
Increased Territorial Scope
This is probably the most important regulation where the jurisdiction of GDPR applies to all companies, even if you are not based within the EU. If you offer a service to a citizen or company within the EU, and you store their personal data, you are responsible for making it secure. There has been a number of high profile cases where large corporations have been hacked and data has been leaked.
Reform is that consent has to be clearly given to the consumer for you to store and use their personal data. The request has to be made clearly and there are regulations on how and where it needs to be used.
If organisations experience a breach of GDPR they can be heavily fined. The fines are up to 4% of annual turnover or 20 Million euros (whichever is greater). As you can imagine this is a hefty price to pay for any organisation. It’s also important to note that if you are a small sized blogger who has EU users registered to your blog (email address, name etc), you also fall under the GDPR regulation. There is a tiered structure to the fines depending on what regulations weren’t enforced. An example would be 2% for not having your records in order (article 28) or not notifying the authority of a data breach.
Right For Removal Of Personal Data
This is now known as a data erasure. This allows the right to be a forgotten which simply means your personal data is removed from the data controller. This right needs to be clearly displayed after the recording of such data. There are certain circumstances where this can’t happen, for example you have a loan and that company requires the data in order to be repaid. The consumer now has the right to request data stored about them and has to be provided electronically.
Personal Data Breach Notifications
Breach notification are now mandatory in all members’ states under the breach notification act. If an organisation believes that there has been a risk of a data breach, then the relevant authorities have to be notified with 72 hours. The data processor is also required to notify the consumers where their personal data has possibly been leaked.
Personal Data Protection Officers
Generally it is not necessary to submit notifications / registrations to each local DPA for data processing activities. It’s also not a requirement to obtain approval for transfers based on Model Contract Clauses (MCCs). Instead data processors need to ensure there are procedures setup for internal record keeping and that requirements are met to satisfy GDPR. However, a DPO is mandatory only for controllers and processors who core activities consist of processing operations that in turn require regular and systematic monitoring of data. For example a large scale business that use data relating to criminal convictions and offences.
Find our more information on GDPR and DPO requirements on the below link.Download GDPR Guide
If you would like us to take a free initial audit of your GDPR processes and procedures then please contact us. We have a lot of experience and helped out many customers become GDPR compliant.