Adieu, Big Brother. Here are the new privacy rules:
The new General Data Protection Regulation (GDPR) answers all of these questions.
As the new regulation will affect all organizations that handle personal data, we need to ask ourselves why this regulation is so important and how companies can get properly prepared for it. It will be key to prepare sufficiently since GDPR introduces high sanctions for non-compliance, including revenue based fines of up to 4% of annual worldwide turnover or €20 million in cash, whichever is higher.
Which substantial changes are coming our way?
Keep a detailed record of all processing activitiesCompanies will have to keep records of personal data processing (under article 30, GDPR). Such records state what types of data are recorded, with whom this is shared and which safety precautions have been taken to protect this data.
Accountability and transparency are key
GDPR requires companies to demonstrate more transparency and to respect the increased rights of data subjects such as the right to be forgotten, the right to data portability, the right to rectify, the right to object and the right to restriction of processing.
Consequently, policies, contracts and supply chains will need to be reviewed and realigned as much as possible, in order to be in accordance with the GDPR before it comes into effect.
Data Protection OfficersThe GDPR obliges private companies whose core activities consist of processing operations that require regular, large-scale and systematic monitoring of data subjects to appoint a ‘Data Protection Officer (DPO)’.
Article 39(1)(b) of the GDPR entrusts DPOs, among other duties, with the duty to monitor compliance with the GDPR. Recital 97 further specifies that the DPO ‘should assist the controller or the processor to monitor internal compliance with this Regulation.
If you process data on a small scale, it is still key that HR, IT, Risk and Legal are well aware of the new regulation in order to secure the internal data flows and data processing activities so that they follow the GDPR requirements.