Changes To Current Data Protection Laws
- Definition of personal data is getting broader
- Consent will need to be much more explicit
- Changes to focus on the delivery of services and goods to individuals in the EU
- The movement / behavior of EU subjects data will be monitored
- The Data Controller/Data Processor responsibilities become the same
- Administrative fines in two tiers for specific breaches and they are getting a lot bigger
- The maximum fine in the UK is £500,000, but there will be increased fines of greater than €20,000,000 or 4% of global revenue, this is further compounded by customer compensation claims if data is breached.
- Data Protection Officers are mandated for all organisations.
Changes From 8 Principles To 6 Data Principles
Under the Regulation, processing of personal data will need to comply with all six of its principles:
Data Protection 8 Principles
- Fairly and lawfully processed;
- Processed for specified purposes;
- Adequate, relevant and not excessive;
- Accurate and, where necessary, kept up to date;
- Retention - Not kept for longer than is necessary;
- Processed in line with the rights of the individual;
- Data must be kept secure; and
- Data transfer to countries outside the European Economic Area unless the information is adequately protected.
EU GDPR 6 Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Integrity and confidentiality
(Management Accountability is the key topic)
The Regulation states that controllers are responsible for complying with these principles as well as being able to demonstrate their compliance.
Data Controllers and Processors are responsible to meet new regulatory obligations.
- Businesses need to demonstrate EUGDPR Compliance
- EU GDPR places new legal requirements on data controllers business, to demonstrate compliance with the new regulation.
- EU GDPR mandates organisations to put into place comprehensive, privacy management controls with adequate governance measures.
- EU GDPR needs to be a part of the company's overall information systems approach on how it manages and processes personal data.
- The new legislation puts the onus on companies to understand their current risks, that place other individuals data risk and then clearly demonstrate how risks are mitigate with robust processes.
There are several new systems required to help meet the regulatory obligations.
- Demonstrate EUGDPR Compliance
- Senior Board Accountability
- Appoint a Data Protection Officer either (physical/virtual)
- Data Discovery / Data Mapping of flows
- Centralised EU GDPR Dashboard Tool
- A system to respond to SAR - Subject Access Request within 30 days not 40 days. (subject-access-code-of-practice)
- Logging & Monitoring on all data sources
- Data Portability across systems
- Data Breaches are reported within 72 hours
- Hold an up to date Risk Register
- New ongoing reporting requirements
Next Steps Actions
- Call Digital Secures, Information Privacy Team for consultation session or meeting.