The GDPR will become law on 25th May, 2018. It will replace the inconsistent and no longer fit for purpose national data protection legislation that was put in place by EU Member States in response to the 1995 Directive.
The GDPR is far reaching and will apply to all EU organisations that control and / or process personal data and to any organisation worldwide that processes the personal data of EU residents.
It expands the definition of personal data to mean any information that can be used directly or indirectly to identify a data subject – i.e. name; ID number; location data; online identifier; and factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.
The GDPR enhances the rights of a data subject in relation to their personal data. It also introduces three new rights: the right to be forgotten; the right to restriction of processing and; the right to data portability. (More on this in a later blog / article).
The design and implementation of any new product, service or business process must uphold the rights of individuals in relation to data protection.
The GDPR elevates the threshold for consent by the data subject to the processing of their personal data – i.e. it must be freely given, specific, informed and unambiguous and it must take the form of a statement or a clear affirmative action; in addition, it must be as easy for the data subject to withdraw consent as it is for them to give it.
An organisation can be held legally liable for a personal data breach even if it is not directly responsible and a liable entity can be issued with a substantial fine of up to €20 million or 4% of worldwide annual turnover. As well as that, the data subject will have the right to sue the responsible parties for non-material as well as material damages arising from a data breach.
If your organisation’s core activities involve on a large scale the regular and systematic monitoring of data subjects or the handling of special categories of data, or if it’s a public body, you must appoint a Data Protection Officer (DPO).
Data Controllers and Data Processors must keep detailed records of their data processing activities and must be able to provide them, on request, to the Supervisory Authority for inspection.
Data Processors will be subject to increased obligations under the GDPR and they can be held liable for any breaches that arise while acting outside the scope of their processing contract.