GDPR takes effect in 10 days

May 15, 2018 by

With the GDPR compliance deadline on 25 May 2018, there is little time to get ready, but it is not too late.  The GDPR is the most significant change in data privacy regulation in more than 20 years.

It comes into force on 25 May 2018 and will impact all businesses that process personal data or businesses that process personal data of EU citizens even if they are not in the EU. 

Obligations for compliance will affect both controller and processors and regulators will get increased enforcement powers and the right to impose fines of up to 4% of global turnover for both data breaches and infringements of the law. Basically, any breach of the GDPR can attract a fine.

Now is the time to asses the data flow within an organisation and update data protection strategies and policies. The GDPR has onerous requirements for consent and requires a that consumers and employees know what their personal information is being used for.  Gathering consent for ‘old’ data can be tricky. In practice, also the parental consent requirement is proving to be a challenge with the results that most companies effectively ban youth under 16 from using their services.

Some businesses will have to conduct a data processing impact assessment. A data processing impact assessment is required for data processing that is considered high-risk. This means identifying, documenting, and assessing the risk of privacy breach occurring and the risks for individuals concerned. A data processing impact assessment is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

Failure to conduct a data processing impact assessment (or to do so correctly) can results in fines of up €10 million or 2% of worldwide turnover whichever is greater. The EU Article 29 Working Party (WP29) recently published draft guidelines  to clarify when data processing impact assessments are required and how to conduct them.

Some businesses may have to appoint a data protection officer (DPO) and – if they do not have a physical location in the European Union – a European representative.

Tags: , ,