Thursday, February 8, 2018
GDPR is short for General Data Protection Regulation. It is the new EU data protection framework that has finally been adopted and takes the form of a regulation. The GDPR has been published in the Official Journal of the European Union on 4 May 2016. It will come into effect within the next few months after a two-year implementation period.
Without doubt, the GDPR will bring considerable changes to the European privacy laws. It will have a drastic impact on how organizations collect, handle and process personal information. All organizations will have to take significant actions to comply with the GDPR and the implementation period is very likely to proceed quickly.
Organizations should begin their preparations immediately, for several reasons.
Why is GDPR important for your organization?
Dramatic increase in regulatory risk - Tougher sanctions: The GDPR significantly increases the maximum penalties for non-compliance to the greater of €20 million or 4% of annual worldwide turnover.
Wider application: The definition of personal data is extended. Almost all organizations are affected.
Wider territorial scope: All organizations that do business in the EU are affected. All organizations offering services to individuals in the EU are subject to the GDPR, regardless of where they are located or the location of their servers.
Higher level of compliance: Organizations are required to apply a thorough data governance program and implement substantial and effective data protection measures, such as Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (DPO).
Accountability: Proof of Compliance is required. Organizations must be able to demonstrate that they methodically approach the GDPR and they are implementing all the necessary strategic and tactical measures aimed at preventing the misuse of personal data.
New concepts and framework
The GDPR, apart from the concept of accountability, introduces new concepts and a new framework for processing and protecting Personal Data. In particular:
Purpose limitation, Data minimization: Specific and transparent processing purposes. Data absolutely limited to what is necessary for processing purposes.
Consent: Affirmative and unambiguous consent of the data subjects for the processing of their personal data.
Right to be forgotten - Data portability right: New and powerful rights for individuals.
Data protection by design: Early determination of personal data protection measures at the data processing design stage.
Notification obligations: For both the supervisory authorities and the data subjects, in case of personal data breaches.
Preparation for implementation
What comes next? Organizations need to establish data protection compliance programs or to review and enhance their existing programs, so that they really comply with the changes and avoid risk of fines and penalties.
Our team has extensive experience guiding organizations in data protection affairs. Do not hesitate to contact us and discuss thoroughly your company’s needs.