What does GDPR mean for businesses?
New obligations for data processors
Under the GDPR, both data controllers and data processors are responsible for compliance with data protection legislation – meaning that not only the owners of personal data are responsible for meeting the requirements of GDPR, but those holding or using that data (such as external marketing or IT suppliers) also have responsibilities.
Affirmative consent requirements for processing
A key principle for processing data is that the procedure must be fair and lawful. The bases on which data is processed are a key area of reform. The previous rules were often interpreted too widely by data controllers.
One basis for fair and lawful processing is gaining the individual’s consent. Under previous legislation, practice arose in many industries whereby consent was implied by the actions or inactions of the data subject. Under GDPR, this practice is no longer acceptable. Consent must be freely given, specific, informed and unambiguous.
Privacy by design implications
Under GDPR, organisations are obliged to adopt an approach that promotes privacy and data protection compliance from the outset. All businesses in high-risk situations should consider carrying out Data Protection Privacy Impact Assessments.
Potential fines for security breaches
There is stronger enforcement action under GDPR where there is a breach of the data protection rules, including fines of up to 4% of an organisation’s turnover. Enforcement action is unified across the EU with each national supervisory authority authorised to take action.
Enhanced rights of data subjects
The rights of individuals in relation to their personal data have been enhanced under GDPR. This impacts on the information which should be included in privacy policies and procedures and the way in which Subject Access Requests (SARs) from individuals should be handled.
Appointment of Data Protection Officers
A properly equipped Data Protection Officer (DPO) can prove invaluable to an organisation dealing with vast amounts of data. Certain organisations, due to their size or business operations, are required to appoint a DPO to oversee compliance with data protection law.
In the UK, this is a new requirement for those dealing with personal data, however some EU member states already require some organisations to have a DPO in place.
The GDPR applies to the personal data of all individuals within the EU and to organisations processing their data, regardless of whether those organisations are based within the EU themselves. In the age of data sharing, personal data may be processed in a number of different jurisdictions and GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.