GDPR + YOU
What is GDPR?
The European General Data Protection Regulation (GDPR) replaces the existing Data Protection Directive (DPD) and comes into force with immediate effect in May 2018.
This regulation applies to data controllers or data processors keeping or processing information about living people referred to as data subjects.
The GDPR enhances the rights and principles already defined in the DPD and contains some significant changes such as:
- A mandatory requirement for appointment of a DPO (Data Protection Officer)
- Awareness of and provision for data subjects enhanced rights.
- Supervisory authorities to be notified of breaches within 72 hours of DPO becoming aware.
- In case of elevated risk cases – data subjects to also be made aware.
- Internal breach register to be maintained.
- Fines to be administered in the event of a breach – the higher of either €10 Million or 2% of global turnover at the lower threshold and €20 Million or 4% at the higher end.
- Data Protection Impact Assessments (DPIA’s) will become a mandatory prerequisite in respect of any processing where high-risk processing is contemplated.
- Organisations need to ensure that data privacy is a priority by design and default.
- A higher bar for consent means an active opt-in is required.
GDPR + YOU : What you should do now
If your business handles information belonging to a live person you must:
- Embrace privacy by design now.
- Know what information you possess and where you have it stored so you may find it if required.
- Appoint a Data Protection Officer.
- Take Security Awareness Training for you and your team.
- Consider an IT Security and IT Policy Audit.
- Record all actions undertaken in relation to data security.
- Demonstrate your regulation compliance with evidence of controls, process and technology.