The new General Data Protection Regulation (GDPR) was recently agreed and will come into force two years from publication, so by 25 May 2018.
Its reach is wider than the existing Data Protection Directive and it will apply directly to controllers and processors of data.
Go deeper with GlobalData
It gives more control to individuals over the use of their personal data and will be more consent-based than current data protection laws.
The GDPR brings in a set of uniform rules across the European Economic Area and will have direct effect so does not require implementing national legislation. Businesses need to start preparing for the changes to come.
New mandatory requirements will be introduced:
– The right to be forgotten.
– The right of portability.
– Privacy by design.
– Data protection officers for all organisations processing sensitive data on a large scale or having large-scale customer databases. SMEs will be exempt unless personal data processing is a core business activity.
– Privacy impact assessments (with limited exception for SMEs unless high-risk).
– Serious security breach notifications to the national supervisory authority without undue delay: within 72 hours where feasible.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataThere will be a tiered approach to penalties for breaches of the GDPR. Fines of up to 4% of global annual turnover for the previous financial year or 20m (£15.4m), whichever is higher, can be imposed depending on the breach.
The GDPR will also apply to organisations outside Europe which are targeting goods and services at, or tracking or profiling individuals in Europe.
So what should businesses handling personal data be doing to prepare for the changes that the GDPR will bring in?
– Make sure the board is aware of the new requirements and penalties and the risks to the business if not GDPR-compliant within the next two years.
– Appoint and train a data protection officer. One may be mandatory under the GDPR but even if not, appointing one may be a good idea given there will be a lot to do.
– Assess what personal data is processed around the business and re-examine all existing data protection policies, training, privacy notices etc. Ensure they are up to date and compliant with current laws, and start working on them now to make sure they will be GDPR-compliant
– Assess what processing of personal data will need to be consent-based in future, whether the business already has the necessary consents (do they meet the new conditions) or whether fresh consents need to be obtained? If so, what information should be provided to the data subject so that the consent obtained is informed consent and how will you evidence this?
– If the business does not already have them, consider implementing compliance tools, such as data protection impact assessments, a security breach handling policy and so on. They will be a must, not a nice-to-have, once the GDPR is implemented.
– Update data processor and security provisions in contracts to cover extended processor obligations that controllers mustcontractually impose. Data processors must themselves consider what additional risks such provisions will have on their businesses. They will also have direct responsibilities and face potential fines under the GDPR.
To find out more about GDPR and the automotive industry, visit: gowlingwlg.com/driverless to download Are you data-
driven?, a white paper prepared by Gowling WLG on behalf of UK Autodrive.
Greg Standing is a partner at Gowling WLG
