Today marks the day that the new European Union General Data Protection Regulation is exactly a year away. This time next year, all organisations in the EU and outside of the EU that process the data of EU citizens will be subject to the new regulations. The new General Data Protection Regulations (GDPR) are an overhaul of European data protection laws and will harmonise how data is processed across the European Union.
“GDPR represents an evolution in data protection rights and obligations, but a revolution in terms of the burden and potential sanctions for noncompliance,” said Paul Lavery, partner and head of the technology and innovation group at McCann FitzGerald.
“All companies need to start getting ready for GDPR as soon as possible, as the consequences for non-compliance will include large fines and even proposed personal liability for directors. For businesses, the potential damage to reputation may be even more dissuasive than any fine.”
Many organisations have yet to begin their preparations for implementing GDPR and time is rapidly running out. Here are some of the key points that they should be aware of:
The Fines Are Big
The fines under the new European Union General Data Protection Regulations are much higher than those that are currently being levied in most European Union countries. For organizations that lose data, they can be fined up to €20m, or 4% of an organisation’s revenue, whichever is higher.
Organisations Could Be Sued More Easily
When the General Data Protection Regulations come into force in May 2018, it will make it much easier for an individual to bring private claims against data controllers if their data privacy has been infringed, even if they have suffered non-material damage.
Breaches Must Be Notified
When GDPR comes in, it will do so with mandatory breach notifications. As well as reporting a breach to the relative authorities, if a breach is likely to bring harm to the individual such as a breach of confidentiality or identity theft, it must be reported to the individual.
Firms Will Have To Explain The Legal Basis For Processing Personal Data
This will be essential under the new General Data Protection Regulations and if customer consent is the legal basis for the recording the processing of data, then the very high standards that are set out in the regulations will have to be adhered to.
Some Organisations Will Have To Appoint Data Protection Officers
The new General Data Protection Regulations will require some, but not all organisations to appoint data protection officers. They will include public authorities, companies that process sensitive personal material on a large scale and organizations that systematically monitor data subjects in great numbers.