It has been widely described as a “game-changer” as it overhauls the manner in which all businesses and organisations handle personal data. Significant penalties can be imposed for breaches so doing nothing is not an option.
Will the GDPR apply to all businesses?
The GDPR will have extra-territorial effect as it will apply to all businesses that control or process personal data relating to the offering of goods or services or monitor the behaviour of individuals in the European Union whether those companies are based in the European Union or elsewhere.
Key provisions of the GDPR
- Requirement to appoint a data protection officer in certain circumstances
- Greater range of penalties for non-compliance. For example, fines could be as high as 4% of a business’ total worldwide revenue or €20 million (whichever is higher)
- Individuals can bring private claims against companies if their data privacy has been infringed
- Obligation to report data protection breaches to regulators within 72 hours of a breach
- Imposition of a risk-based approach to compliance under which businesses will bear responsibility for assessing the degree of risk that processing activities pose to individuals
- Increased obligations for organisations gathering data from underage people
- Tightening requirements for valid consent by individuals
- Provide individuals with the right to be forgotten and to data portability
- Introduces the concept of “privacy by design and by default”
Practical steps for businesses to take now
The GDPR will require significant changes for many businesses to ensure that personal data is processed in compliance with the GDPR. As it will take time to implement new policies, procedures and systems, organisations should take the following immediate steps:
- Appoint a data protection officer
- Educate all key personnel in your organisation on the GDPR
- Make an inventory of all personal data held, including where and why it is held
- Review existing privacy notices to ensure they comply with the GDPR
- Ensure all data procedures cover the right of individuals to have their data transferred or deleted
- Develop procedures to handle data access requests within new timelines
- Develop procedures to handle data protection breaches
In addition, organisations should adopt a “privacy by design and by default” approach when developing new products or services. This means that businesses should take data protection requirements in account from the inception of new technology rather than considering privacy as an afterthought. Even though the GDPR will not come into force until 2018, it is essential that organisations commence their preparation now. Doing nothing is not an option.