On 25 May 2018 the General Data Protection Regulation (GDPR) was enforced across Europe. This is the most significant change we have seen to data protection in over 20 years.
It's important to ask yourself, is my organisation aware of the changes and what can I do to meet the requirements?
The GDPR applies to any organisation that is 'established' in the EU and processes personal data. If you are an organisation established outside the EU, you could still be caught if your processing activities relate to: offering goods and/or services to EU residents (even if complimentary), and/or the monitoring of behavior within the EU.
The definition of personal data is even wider than it was under the Directive, as it now expressly includes identification numbers, location data and online identifiers such as IP addresses and cookies. Essentially the only data that will fall outside of the definition or personal data is that which is truly anonymised.
There are stricter conditions for obtaining consent - it must be freely given, specific, informed, unambiguous, distinguishable and not 'bundled' with other written agreements or statements. It must be as easy to withdraw consent as it is to give and data subjects have the right to withdraw consent at any time.
The GDPR provides numerous enhanced rights for individual data subjects. For example, individuals have the right to require information about whether their personal data is being processed and further information such as the purposes of processing and the recipients of the data. Individuals also have the right to object to their personal data being processed for direct marketing.
Data processers now have certain direct obligations. For example, they must maintain written records of their processing activities and implement appropriate security standards. They must also carry out routine data protection impact assessments, appoint a Data Protection Officer (DPO), if necessary.
A DPO with expert knowledge of data protection law must be appointed if your organisation is a public authority, carries out large scale systematic monitoring of individuals or large scale processing of sensitive personal data. Each domestic regulator is free to make additional requirements in respect of DPO's, to date the ICO has not commented on any additional DPO requirements.
The GDPR contains the breach notification obligations for the Processor and the Controller and in certain circumstances individual data subjects will also need to be notified of the breach.
The maximum fine for the most serious infringements (such as not gaining sufficient consent for processing) is up to 4% of annual global turnover or €20 million (whichever is greater). Administrative failures (such as failing to report breaches) can result in a fine of up to 2% of annual global turnover or €10 million (whichever is greater).