New Regulation for the Protection of Data (GDPR)

The General Data Protection Regulation (GDPR) is the latest development in the current EU agenda to safeguard its citizens and their private information.

The GDPR introduces new rights for individuals and the changes require a review of your current approach and an assessment of the impact to your business and customers.

           

Penalties

A penalty for data breach may cost up to €20 million or 4% of your annual turnover.

Increased Territorial Scope

if you are transferring data outside of the EU, for any purpose, the terms of the GDPR will still apply

Internal Inventories

Although there are some exemptions for smaller organisations, in general you must have and maintain an inventory of all data you hold, the reasons for holding it and the other attributes, but not limited to retention, safeguards and data types.

Requirement of ‘data portability’

Customers will have the right to obtain and use their personal data for their own purposes across different services. You will havw to be able to provide customers with a machine readable copy of their data.

The ‘right to be forgotten’

Customers now have the right, in certain circumstances, to have data about them erased, removed or de-indexed. Are your IT systems and business processes able to take this into account?

Data Subject ‘consent’ Required

Businesses must be able to demonstrate that the consent of the data subject was presented in a manner which is clearly distinguishable and specific to the purpose for which it will be used. Consent can no longer be by default or implied.

Data Protection Office (DPO)

A DPO is a new role where certain organisations will be required to have depending on the type and volume of data beign processed.

Data Protection Impact Assessments (DPIAs)

The regulation requires business to carry out DPIAs where the processing is likely to result in a high risk to the rights of individuals and particularly when using new technologies, taking into account the nature, scope, context and purpose of the processing.

Reporting Data Breeches

In addition to reporting requirements from other regulations, the GDPR will require communication with the Data Protection Commissioner within 72 hours and/or informing the affected data subjects ‘without undue delay’ in high risk cases.

Subject Access Rights

Data subjects will enjoy stronger access rights. Where an access request is received, you must respond within the shorter time frame of one month and cannot charge a fee unless the request is manifestly unfounded or excessive.

        

www.dataprotection.ie

The compliant due date is 25th May 2018.

 

Leave a Reply

Your email address will not be published. Required fields are marked *