The GDPR emphasizes transparency, security and accountability by data controllers and processors, while at the same time standardizing and strengthening the right of European citizens to data privacy.
The main changes that the GDPR bringing are categorized as follow:
Higher and Stricter Fines:
- Penalties likely to be at a higher profile (consequent reputational risk) Fines
- 2% of annual global turnover or 10 million euros
or - 4% of annual global turnover or 20 million euros
*Maximum penalties for extreme offending behaviors - Civil and criminal liability for officers and key employees
We need to note that with the previous Data Protection Act the fines were up to €500k and comparatively low-profile penalties
Consent
The data subject has given consent to the processing of his or her personal data for one or more specific purposes. Actually none of the personal data can be used without the prior consent of the data owner. The consent:
- must be freely given, specific, informed and unambiguous
- by a statement or a clear affirmative action
- cannot be inferred by silence, pre-ticked boxes or inactivity
- can be withdrawn and it must be easy to do so
- It should be easy for the subject to withdraw his / her consent,
The data subject must be consulted with easily accessible forms and a simple, understandable language that cannot be duplicated.
Data breach reporting
Data controller must notify a personal data breach to the supervisory authority (DPC) within 72 hours of becoming aware of it. If notified later, must give reasons for the delay.
Data Protection Officer (DPO)
DPO appointment is mandatory for:
- Public bodies (except courts), and
- Data controllers and data processors that, as a core activity, monitor individuals systematically and on a large scale, or that process sensitive data on a large scale.
Appointment, position and tasks of DPO are set out in GDPR.
- expert knowledge of data protection law and practice
- be involved in all data protection issues
- report directly to highest level of management
- operational independence, no conflicts of interest, confidentiality
- inform and advise
- monitor compliance
- point of contact for individuals/DPC
Georgaphical framework The GDPR provides for a scope of application wider than processing undertaken in EU countries. Indeed, it will also apply to data controllers or subcontractors not established within the EU which are in charge of data processing with the aim to provide goods and services to EU residents or to monitor EU residents’ behavior.
Changes – User’s rights
- Subject access – usually within a month and for no fee
- Right to erasure - right to be forgotten a data subject has the right to request personal data is erased when it is no longer being processed
- Data portability - personal data must be in a format where it can be easily and electronically transferred to another processing system
- Right to rectification – if personal data is inaccurate or incomplete