general data protection regulation – what’s changed?

Are you up-to-date with the General Data Protection Regulation (GDPR)? A whole new regulation will begin on the 25 May 2018, and you need to start preparing now to avoid any hefty fines.

what’s changed

A lot has changed since 1995 when the act had initially been established. The new General Data Protection Regulation (GDPR) is the result of the EU bringing data protection up to date with the current times in an aim to stop privacy and data breaches in a constantly changing data-driven society.

Organisations and small companies that are not in line with the GDPR by the deadline on the 25th may 2018 will face heavy fines;

Breaches related to the controller and processor obligations, certification body obligations or monitoring body obligations: Up to 10,000,000 euros or 2% of total worldwide turnover, whichever is the greater (GDPR Article 83(4))
Breaches related to the basic principles of processing, content, data subject rights, transfer of data, non-compliance: The highest fine states up to 20,000,000 euros or 4% of total worldwide turnover, whichever is the greater (GDPR Article 83(5))
KEY POINTS:
Consent

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form. Read More

The consent to use a customers information now needs to more clear than ever before. There are a few new points you need to adjust to;

Pre-ticked opt-in boxes are now banned.
Consent now has to be separate from other terms and conditions. It should not be a precondition when signing up for a new service.
You must keep clear records to demonstrate consent to prove the consent if ever needed to.
Customers have a right to withdraw consent, right to withdraw, and offer them easy ways to withdraw consent at any time. You need to make them aware of this, and how to withdraw.
Breach Notification

Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals” Read More

All organisations now have a duty to report certain types of data breach to the relevant supervisory authority, and the individuals affected.

Right to Access

The right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. Read More

Very similar to the ‘Data Portability’ section, the customer must have access to their personal data and any other important information they hold with you, such as a contract or T&C’s.

Right to be Forgotten

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Read More

If a customer of yours cancels and wants to remove all ties, do you have a system in place to permanently remove them from all of your databases? If not there’s no better time to invest time into creating a foolproof removal system. Top tip – it’s not just your CRM you need to think about, don’t forget your email lists, phone books, previous email conversations and much more!

Data Portability

The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller. Read More

You must provide a safe way to transport customer data over to the said company or another organisation if requested to do so. In order for them to be able to access this information with ease, it needs to be in a structured, commonly used and machine-readable format. This information must always be provided free of charge and must be sent over within 1 month without fail.

Privacy by Design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Read More

In order to follow this act, you must have run all tests necessary to ensure privacy compliance from the very beginning when a service of yours is originally designed. Following this, you must have reached the reasonable conclusion that privacy is adequately protected before this service is rolled out to the public.

Data Protection Officers

Under GDPR it will not be necessary to submit notifications/registrations to each local DPA of data processing activities, nor will it be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record-keeping requirements. Read More

A company with multiple subsidiaries will need to appoint a single data protection officer so long as they are easily accessible at all times from all subsidiaries.

Click here to learn more or take a look at the updated GDPR here.

The deadline for the GDPR is slowly approaching, we recommend appointing new processes now in order to iron out any issues before the deadline arrives.

Read our other blog posts