GDPR – The EU’s General Data Protection Regulation (GDPR) is due to come into effect on 25 May 2018.
What is the GDPR?
The GDPR is a new set of regulations aimed at protecting EU citizens from privacy and data breaches.
The GDPR separates organisations that handle data into data controllers (organisations that determine the purposes, conditions and means of processing personal data) and data processors (organisations that process data on behalf of a data controller).
Key Points
Extra-Territorial Applicability
- The GDPR will apply to organisations processing personal data of people residing in the EU, regardless of the organisation’s location. Non-EU businesses processing the data of EU citizens will need to appoint a representative in the EU.
Penalties
- Organisations which breach the GDPR can be fined up to 4% of their annual global turnover or €20 million (whichever is greater).
Consent
- Organisations will no longer be able to use long, illegible terms and conditions full of legal jargon. Requests for consent to collect and use data must be given in an intelligible and easily accessible form and include the purpose for which the data is going to be used. Consent must also be as easy to withdraw as it is to give.
Breach Notification
- Organisations will be required to notify their customers and data controllers when there has been a data breach that is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first becoming aware of the breach.
Right to Access Data
- Individuals will have the right to confirm with a data controller whether their personal data is being processed, as well as where and for what purpose. Individuals can also obtain a free electronic copy of their personal data that is being held by the data controller.
Right to be Forgotten
- Individuals will have the right to have their personal data erased and to stop the further dissemination of their data.
Data Portability
- Individuals will have the right to receive their personal data that is being held by a data controller and transmit that data to another controller in certain circumstances.
Privacy by Design
- Data controllers will now be required to include data protection from the onset of designing their systems, rather than as an additional thought. Data controllers are asked to only hold and process data that is absolutely necessary for the completion of its duties and to limit access to personal data to only those who need it.
Data Protection Officers
- Certain organisations will be required to appoint Data Protection Officers.
If your organisation processes the personal data of EU citizens or offers goods and services to individuals in the EU, it is important to ensure that you are GDPR-compliant before 25 May 2018. This is particularly relevant to Australian’s who provide services or operate ecommerce websites.
You can read more about the GDPR here.
By “CFL”
Leave a Reply