General Data Protection Regulation 2018 – Key Changes
It introduces additional compliance requirements for all organisations, including charities and membership bodies.
Territorial Scope – any processing personal data of an EU resident, irrespective of organisation location.
Penalties – fined up to 4% of annual global turnover or €20 Million (whichever is greater) for e.g.not having sufficient customer consent to process data.
fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment
Consent – must be clear and distinguishable from other matters using clear and plain language.
Breach Notification – mandatory in all member states within 72 hrs of becoming aware where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
Right to be Forgotten – Data Erasure entitles the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.
Right to Access – right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Data Portability – the right for a data subject to receive the personal data concerning them.
Privacy by Design – calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Data Protection Officers – Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.