Top Ten Tips for GDPR
Big changes to data protection and privacy are coming with the GDPR implementation in May 2018. Here are Fair Data's Top Ten Tips to give you a head start with the Regulation:
- A single set of rules - Well, not quite. The GDPR sets out to create a common set of rules across the EU. With more than 30 exemptions that allow member states discretion as to how they implement the rules, things will still not be fully harmonised.
- Higher fines - Fines are significantly increasing. Non-compliance could mean a fine of up to EUR20m or 4% of worldwide turnover (whichever is higher).
- No boundaries - Regardless of where you are located, if you are processing EU residents' personal data then the rules apply to you. So if you are analysing, storing or monitoring activities of EU residents, your business will fall under the regulation.
- Definition of personal data - The definition of personal data is expanding. What constitutes 'personal data' is much broader and it specifically covers 'online identifiers'. Anything that contributes to identifying an individual, or links to identifying information, will be caught, including cookies and advertising IDs.
- Greater liability - As a data processor you will have significant responsibility. Data subjects/individuals will be able to take direct action not just against a data controller but also a data processor.
- Notification of data breaches - Data protection authorities need to be notified within 72 hours of any serious data breaches and an organisation has to ensure that they also let individuals know where the breach may cause harm.
- Greater business accountability - You no longer need to inform the Information Commissioner's Office of how you intend to use personal data. Instead, a risk-based approach will focus on privacy impact assessments, maintaining good internal records and systems and entrenching privacy by design and default.
- Stronger individual rights - As well as strengthening existing rights, new individual rights have been included which businesses are obliged to promote. Data subjects will have a right to be forgotten and to data portability, meaning you could be required to provide data to an individual that they can take to a competitor. Other adaptations mean there is a much greater focus on the clarity of information notices and it will be easier for people to object to different types of processing, including profiling and marketing.
- Cross-border transfers - Standards will be raised for cross-border transfers. Current mechanisms such as Binding Corporate Rules and model contract clauses will be acceptable. US based companies can also start using the EU-US Privacy Shield which has now been assessed as adequate.
- Data Protection Officer (DPO) - Organisations involved in regular and systematic monitoring or processing of sensitive data on a large scale will need to appoint a DPO.
MRS' Fair Data Accreditation is the only mark that allows companies to show best practice in data protection. It will take you most of the way towards GDPR compliance. Find out more.