What is EU GDPR?
The European General Data Protection Regulation (EU GDPR) aims to harmonize data protection law across the Single European market and put individuals back in control of their personal data. This will not only improve international business, but supports with building trust for individuals around the protection of their information. It officially comes into force from 25 May 2018.
Will Brexit impact EU GDPR?
At this time, if your business still operates within the EU, or you have personal information on an EU data subject, compliance will still be necessary regardless of Brexit plans.
What does EU GDPR mean for business?
The new legislation brings about some specific changes for business, the most significant being the monetary implications on non compliance.
Introduction of significant Fines
Tier One: Up to €10 million or up to 2% of annual worldwide turnover of the parent company, the higher amount
Tier Two: Up to €20 million or up to 4% of annual worldwide turnover of the parent company, the higher amount
The right to erasure
If an individual no longer wishes for their data be processed, and there are no legitimate grounds for retaining it, the data must be deleted. The onus is on data controllers to prove that they need to keep the data, not on the data subject.
Mandatory notification of a data breach
Organizations will now be required to report a data breach to the Data Protection Commissioner, within 72 hours of becoming aware of the breach.
Portability of data
The regulations propose the right that data subjects will be able to transfer their personal data in a commonly-used electronic format from one data controller to another without hindrance from the original controller.
Privacy by design
This is one of the fundamental ideas of the new regulation and one that aims to change an organizations overall attitude and planning towards data protection. Article 23 stipulates that Data Protection should be designed into the development of business processes, so privacy is a consideration right from the start of project
Appointment of a Data Protection officer (DPO)
Certain activities, such as large scale monitoring of individuals or processing of special category data, require an organization to appoint a DPO. Even if you don’t need to, it’s good practice to appoint a DPO with knowledge of information security and an understanding of data protection law.