10 Things You Need to Know about GDPR - Mitratech

10 Things You Need to Know about GDPR

Next year the European Union’s GDPR will become enforceable, and with the threat of staggeringly high fines for those organisations that ignore GDPR rules, large global enterprises are likely to sit up and listen.

All organisations conducting business in the EU must demonstrate that adequate measures have been put in place to comply with GDPR and evidence how they collect and use personal information. Organisations that ignore GDPR rules are at risk of receiving fines from The European Commission of up to €20 million, or 4% of their annual worldwide turnover, whichever is the greater.

Robert Bond, Partner at Bristows LLP comments: “GDPR will make businesses put in place the compliance policies and procedures that they ought to have under current law. The fact that GDPR is extra territorial and applies to both data controllers as well as data processors, coupled with the significant increases in compliance obligations and fines, means that doing nothing is not an option. Taking steps immediately to “move in the right direction” is the way to go and having tools that support the communication of and training on corporate policies are essential.”

Bristows LLP have provided us with the below list of the Top 10 Things You Need to Know about GDPR, and we would like to assist you with any issues your organisation may face as a result of these changes.

    1. The new EU General Data Protection Regulation (“GDPR”) will become applicable across the EU on 25 May 2018. The UK Government have confirmed the UK will implement it as planned, even with Article 50 being triggered.
    2. The general concepts stay the same. The GDPR will replace the current UK Data Protection Act 1998, and introduce a number of new obligations on organisations.
    3. Online identifiers (such as IP addresses) and other unique IDs are expressly included in the definition of “personal data”, and so should be protected in the same way as other personal data. Biometric and genetic information, as well as information about sexual orientation are now designated as “sensitive personal data”.
    4. The standard for genuine consent will get higher. Consent is only valid when the individuals have a genuine choice as to whether or not their data is processed in a particular way. If the data processing is not necessary for the provision of a service, then use of the service should not be made conditional on giving that consent.
    5. Organisations will need to give more information about the processing to individuals. For example, information about retention periods, the legal basis for the processing, and how individuals can exercise their rights.
    6. The GDPR strengthens existing data subject rights, and introduces some new ones. Subject access requests must be processed free of charge, and within one month. There is a new right to erasure and a right to be forgotten.
    7. The GDPR introduces a new concept of privacy by design and privacy by default. Data protection and privacy should be built into any new system, project or operation right from the outset. Information should not be shared or made public by default, but only if the individual opts-in.
    8. It will be mandatory to report security breaches to the Information Commissioner’s Office within 72 hours. Organisations will also have to report breaches to the affected individuals where they are at risk.
    9. Organisations will need to conduct Data Protection Impact Assessments (DPIA) prior to any data processing which could be considered as high risk, because of its potential to impact on individuals. For example, any new monitoring activity or collection of sensitive personal data. A DPIA involves assessing the risks associated with the proposed project, and considering what safeguards can be put in place to protect individuals.
    10. The GDPR requires organisations to be able to demonstrate that they are compliant with the GDPR, through their internal policies, processes and training.

Point 10 is one which organisations must take seriously. Effective GDPR policies and procedures are a prerequisite to protecting staff; however if they are not communicated effectively, they are worthless.

A robust policy management system should be implemented to demonstrate best practice, providing the ability to monitor staff agreement to data protection policies and procedures and generate reports for auditing and regulatory checks.

Download our article to see how we could assist your organisation with this fast approaching regulation.

Comments are closed.