10 key points of the GDPR 30 Oct 2017

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. The key points of the GDPR, as well as information on the impacts it will have on business, can be found below.

#1 Schedule

General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.

#2 Territorial scope

GDPR is mandatory for all companies interacting with the EU residents, regardless of where the company is located/headquartered.

#3 Impacts of Brexit on the GDPR

The regulation will be transposed fully into UK law, even once the UK has made its exit from the EU.  

#4 Penalties

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

#5 Consent

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

#6 Breach notification

Breach notification will become mandatory in all member states and must be done within 72 hours of first having become aware of the breach.

#7 Right to access

Data subjects will have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

#8 Right to be forgotten

It entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

#9 Data portability

GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format‘.

#10 Data Protection Officers

DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

Please find more information about GDPR here.

This information is provided for your convenience and you are advised that, although care has been taken to ensure technical and factual accuracy, some errors may occur. No guarantee is given of the accuracy or completeness of information on these pages.