There are just over six months to go until the General Data Protection Regulation (GDPR) is enforced. The GDPR will have a significant impact on organisational data protection regimes around the world.
With the compliance deadline looming, it’s more important than ever to understand the GDPR and what your organisation needs to do to comply.
Key changes introduced by the GDPR
The GDPR introduces a number of key changes, and with organisations facing tough penalties for non-compliance it’s vital that you are aware of the new obligations so you can prepare accordingly:
- The appointment of a data protection officer (DPO) will be mandatory for certain organisations
Article 35 states that DPOs must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
- The rules of valid consent have changed
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
Parental consent will also be required for the processing of personal data of children under the age of 16. EU member states may lower the age requiring parental consent to 13 and Ireland has already announced that it will set the digital age of consent to 13.
- Restrictions on international data transfers
Organisations need to be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
- Data processors will have direct legal obligations and responsibilities
Processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may affect service costs.
- The introduction of data protection impact assessments (DPIAs)
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct DPIAs where privacy breach risks are high to analyse and minimise the risks to their data subjects.
An essential first step for completing a DPIA is to map your organisation’s data and information flows (data mapping).
Clear and comprehensive guidance on GDPR compliance
There are a number of other key changes that will be introduced by the GDPR in May 2018 and it is important not to underestimate the length of time it will take to dismantle, rebuild, adjust or amend your current data protection system.
We recommend that you read November’s book of the month, EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
- The GDPR in terms you can understand;
- The obligations of data controllers and processors;
- Guidance on the DPO role;
- What to do with international data transfers;
- Data subjects’ rights and consent; and
- Guidance on DPIAs, including how, when and why to conduct one.