General Data Protection Regulation 2018 – Key Changes

It introduces additional compliance requirements for all organisations, including charities and membership bodies.

Click here for a full summary of changes

Territorial Scope – any processing personal data of an EU resident, irrespective of organisation location.

Penalties – fined up to 4% of annual global turnover or €20 Million (whichever is greater) for e.g.not having sufficient customer consent to process data.

fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment

Consent – must be clear and distinguishable from other matters using clear and plain language.

Breach Notification –  mandatory in all member states within 72 hrs of becoming aware where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.

Right to be Forgotten – Data Erasure entitles the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.

Right to Access – right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.

Data Portability – the right for a data subject to receive the personal data concerning them.

Privacy by Design – calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Data Protection Officers – Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.

Opt Out Option Click here to opt-out.