The Trouble with Data...
The GDPR: New Rules for Data Protection
Q. What is the GDPR?
The EU General Data Protection Regulation (EU) 2016/679 (or GDPR):
- Comes into force on 25 May 2018
- Repeals and replaces the current Data Protection Directive
- Brings significant changes to EU data protection
- Affects EU businesses and non–EU businesses if they target or monitor EU residents
- Increases penalties for infringement to 4% of annual revenue or 20 million euros
Q. What sort of changes does it make?
- Now extends to online identifiers e.g. IP addresses and cookies
- Sensitive personal data now includes genetic and biometric data
- Must be freely given, specific, informed and with a clear indication of wishes
- Affirmative action is required for valid consent, and data controller must prove it
- Consent may not be rolled in with other contractual terms
- Right to withdraw consent at any time
New rights for data subjects
- Rights of rectification and erasure are strengthened
- New right to restriction of processing
- Data portability - right to receive data and to transmit to another controller
- Controllers must tell third party recipients of information of requests for rectification, restriction or erasure.
Privacy by Design and Privacy by Default:
- Privacy by Design: privacy measures during product design processes
- Privacy by Default: ensure by default that only necessary data is processed
Q. What do I need to do?
Prepare by reviewing/updating:
- Your products and services, privacy notices and policies (including regarding consent)
- T&Cs for privacy consents
- Public and employee privacy notices and policies
- Third party contracts related to personal data
- Data breach register, data governance records and privacy impact assessments
- Selection and appointment of a Data Protection Officer
- Subject access request handling policy
- Personnel training on data protection security protocols, encryption and pseudonyms, notification obligations for breaches, security breach notifications and security breach response plan
- Privacy impact assessment and privacy by design implementation and review
If you have any questions or would like us to conduct a review of your policies and procedures, please contact Brian Levine on 01935 846258 or firstname.lastname@example.org