Key Provisions For GDPR
The GDPR introduced several new concepts and approaches, although many existing core Data Protection Directive principles remain unchanged and The Information Commissioner’ guide highlights key steps to take.
However, some of the key provisions are:
Non-EU data controllers and data processors will be subject to the GDPR when offering goods or services to, or monitoring behaviour of, EU data subjects.
Fines for non-compliance will increase significantly. Businesses that have regarded non-compliance with data protection as low risk, may need to re-evaluate in the light of substantial new fines and increased supervisory authority powers.
Consent for processing will be harder to obtain:
Relying on implied consent is harder, as more affirmative action is required. Businesses practices should ensure that consent indicates affirmative agreement from the data subject. Acquiescence to a ticked box is no longer enough and businesses must demonstrate that consent has been properly obtained.
Privacy by design:
Businesses are required to implement
technical and organisational measures to ensure that the requirements of the
GDPR are met by:
a. Taking data protection requirements into account at the inception of new technology, products or services that involve processing personal data, and keeping those measures up to date.
b. Conducting data protection impact assessments where appropriate.
Risk based compliance:
Businesses are required to assess and continue to monitor the degree of risk their processing activities pose to data subjects; GDPR provisions, such as privacy by design, accountability and data security, address this.
Businesses must have clear records of all their data processing activities, and, if requested, provide those records to their statutory authority.
Enhanced data subject rights:
The GDPR increases data subjects’ rights, giving them the right to have personal data erased in certain circumstances, to object to profiling and to enjoy data portability. An additional right allows them to obtain a copy of their personal data from the data controller and to transmit those data to another controller (for example, an online service provider). In addition, data access requests must be handled promptly.
Contact Tracey Dickens on 01206 217326 or firstname.lastname@example.org.