The New GDPR
Here’s What You Need to Know
Health and Safety Consultant at EazySAFE
A new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) has been introduced by the European Commission and will come into force across the EU on 25 May 2018 replacing the existing Data Protection Directive (95/46/EC).
The purpose of this new regulation is to strengthen and unify Data Protection for individuals within the EU and simplify the regulatory environment for international businesses (operating inside the EU whether based inside or outside) by unifying the regulation.
Privacy is a fundamental human right, enshrined in numerous international human rights instruments.
The reforms will also specifically address some current technological challenges in respect of the processing of personal data in the current digital age including profiling, data portability and the ‘right to be forgotten’. User settings will automatically be privacy friendly and the development of products and services will take account of privacy considerations from the outset. Data Controllers will be obliged to maintain internal records of Data Processing activities. However, SME’s employing less than 250 will not need to maintain such records unless they process sensitive personal data or the data processing they undertake is not occasional or likely to result in a risk for the rights and freedoms of data subject’s.
There will be an obligation on Data Controllers and Processors whose core activities consist of data processing operations or which consist of large scale processing of sensitive personal data to appoint a Data Protection Officer. This Data Protection Officer can be engaged as a consultant rather than a full time employee.
The regulation will abolish the requirement to register with Data Protection Authorities as all businesses will be obliged to comply with the regulation.
An important development is the concept of a one-stop shop compliance framework which will simplify interactions with regulators for multi-jurisdictional companies who will be subject to a lead Supervisory Authority rather than having to act with several regulators across different jurisdictions.
Businesses will be obliged to conduct Data Protection Impact Assessments where the data processing is likely to result in a high risk for the rights of individuals.
The new regulation will introduce an obligation to report all breaches within 72 hours. Practically speaking, this obligation will require businesses to establish a data breach response procedure. The penalties for non-compliance comprise of a fine of up to 4% of worldwide turnover or €20 million (whichever is greater).
Training is a requirement to comply with the GDPR. Under Article 37, the GDPR lists among the tasks of the Data Protection Officer “awareness raising and training of staff involved in the processing operations.”
Under Article 43, in connection with Binding Corporate Rules (BCRs), the GDPR requires “the appropriate data protection training to personnel having permanent or regular access to personal data.”
EU regulators will assess a company’s overall commitment to data protection, therefore the quality of training is key. Regulators strongly encourage the spreading of the message about privacy and security and this might have an impact on decisions about when to enforce as well as how much to assess in fines.
All employees who have access to personal data should be made aware of their responsibilities under data protection law. Provide employees with with a basic understanding of data protection rights and responsibilities in line with the new GDPR using EazySAFE’s online Data Protection training.