9 key changes of GDPR
We look at key changes brought about by the new EU General Data Protection Regulation (GDPR) which is coming into effect in May 2018
|1. Stricter consent requirements||A person’s consent for processing of their personal data is valid only if it is given in a voluntary, specific, conscious and unequivocal way, in a form of a statement, confirmation or other consent-expressing deed.|
|2. Right to the erasure of data („the right to be forgotten“)||The GDPR gives a person a clear basis to request the data processors to erase all data relating to them.
|3. Special rules with regard to personal data of minors||If a person is younger than 16 years old, then in addition to their consent, the consent of the parent or trustee is required. It is yet to be decided if the Information and Data Protection Commissioner (IDPC) will apply the lowest limit of 13 years of age.|
|4. Obligation to nominate a Data Protection Officer||a) public authority or body; or b) processes large amounts of data (i.e. the data of at least 5000 persons per year); or c) processes special categories of data (such as health related information); or d) employs 250 or more workers is now mandated to nominate a Data Protection Officer.
|5. Right to data portability from one service provider to another||A service provider must be able to provide a person with their data in a structured, commonly used and machine-readable format, in the event that the person will transfer to another data service provider.|
|6. Obligation to maintain a record of processing activities||Each company shall maintain a record of all categories of personal data processing activities and shall preserve such records.|
|7. Obligation to notify the IDPC about the data breaches||The IDPC must be notified in the event of incidents and security breaches within 72 hours. In certain cases, the data subjects must also be notified.|
|8. Obligation to conduct data protection impact assessments||Where a type of process (e.g. using new technologies) is likely to result in a high risk, the organisation shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.|
|9. A regulation that bites
||An organisation, if found to be in breach of the GDPR, may be subject to a sanction to a maximum of €20,000,000 or 4% of global turnover, whichever is the higher.