Search

GDPR

From 25 May 2018 the General Data Protection Regulation (GDPR) will be enforced across Europe. This will be the most significant changes we have seen to data protection in over 20 years.

As we approach the 25 May deadline it's important to ask yourself, is my organisation aware of the changes and what can I do to prepare?

 

Wider scope - territorial and definition of personal data

The GDPR applies to any organisation that is 'established' in the EU and processes personal data. If you are an organisation established outside the EU, you could still be caught if your processing activities relate to: offering goods and/or services to EU residents (even if complimentary), and/or the monitoring of behavior within the EU.

Personal Data - broader definition

The definition of personal data is even wider than it was under the Directive, as it now expressly includes identification numbers, location data and online identifiers such as IP addresses and cookies. Essentially the only data that will fall outside of the definition or personal data is that which is truly anonymised. The definition of sensitive personal data also now includes genetic data and

Consent - conditions for processing

There are stricter conditions for obtaining consent - it must be freely given, specific, informed, unambiguous, distinguishable and not 'bundled' with other written agreements or statements. It must be as easy to withdraw consent as it is to give and data subjects have the right to withdraw consent at any time.

Increased individual rights

The GDPR provides numerous enhanced rights for individual data subjects. For example, individuals have the right to require information about whether their personal data is being processed and further information such as the purposes of processing and the recipients of the data. Individuals also have the right to object to their personal data being processed for direct marketing.

Direct obligations on data processors

Data processers now have certain direct obligations. For example, they must maintain written records of their processing activities and implement appropriate security standards. They must also carry out routine data protection impact assessments, appoint a Data Protection Officer (DPO), if necessary.

Data Protection Officers

A DPO with expert knowledge of data protection law must be appointed if your organisation is a public authority, carries out large scale systematic monitoring of individuals or large scale processing of sensitive personal data. Each domestic regulator is free to make additional requirements in respect of DPO's, to date the ICO has not commented on any additional DPO requirements.

Breach notification

The GDPR contains the breach notification obligations for the Processor and the Controller and in certain circumstances individual data subjects will also need to be notified of the breach.

Harsher penalties

The maximum fine for the most serious infringements (such as not gaining sufficient consent for processing) is up to 4% of annual global turnover or €20 million (whichever is greater). Administrative failures (such as failing to report breaches) can result in a fine of up to 2% of annual global turnover or €10 million (whichever is greater).

@ashfords_law

Ashfords LLP Join us for our Ashfords Breakfast Club being held at @secolounge, Plymouth on Thursday 2 May. Click the link for m… https://t.co/jMDFVJWPGz

11 hours ago

Ashfords LLP Great to see the Ashfords Foundation featuring in @BristolBizNews for awarding its first grant to children’s cancer… https://t.co/yS3kXQx5lg

12 hours ago

Ashfords LLP Only a month to go before the deadline for our 2021 Training Contracts. Find the application here:… https://t.co/ErQsZuBAf4

12 hours ago

More tweets from ashfords_law (ashfords_law) >

Send us a message