GDPR SUMMARY

17 July 2018

  GDPR Summary

The key changes including in the General Data Protection Regulation (GDPR): 

  • The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

 

  • Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
  •  The definition of personal data will become broader companies should take measures to reduce the amount of personally identifiable information they store and ensure that they do not store any information for longer than necessary.

 

  •  Valid consent should be laid out in simple terms - silence or inactivity should not constitute consent.

 

  • The appointment of a data protection officer (DPO) may be mandatory if a public body handles data on a large-scale or there is processing of sensitive information.

 

  • The introduction of data privacy impact assessments - a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.

 

  • Data breach obligations to notify the supervisory authorities (in the UK, this is the ICO) as soon as they are noted and within 72 hours the breach becomes apparent.

 

  • Processors will be required to alert and inform controllers immediately (or without undue delay) after a data breach.

 

  • New contracts being negotiated will need to focus on the regulation, and this could result in reviewing existing contracts between Controller and Processor.

 

  • Rights of data subjects, such as the right of erasure (previously known as the ‘right to be forgotten’), right of access, right of portability, etc. Data portability will allow a user to request a copy of personal data in a format usable by them, and electronically transmissible to another processing system.

 

  • Companies within non-EU countries who transfer data in and out of the EU will be mandated to appoint representatives who are based in the EU.

 

  • Controllers must implement appropriate measures to ensure that processing protects the rights of the data subject. Privacy by design is the concept that at the inception of any new process or system, will require the necessary changes to people and culture to embed into the business.

 

GDPR in a nutshell GDPR Summary

 

 

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070

Contact us