
Extension of territorial reach
The regulations extend to data controllers and processors beyond the EU whose activities relate to the “offering of goods and services” to EU data subjects or “monitoring” of EU data subjects. If your website is merely accessible to EU citizens but not aimed at them, then it is less likely you will be caught by the regulations. However if your website uses the same language or currency of one or more member states and/or allows goods/services to be ordered by EU citizens then its more than likely a company based outside the EU will be subject to the regulations. “Monitoring” will cover any form of tracking of individuals e.g. techniques for behavioural targeting.Accountability and privacy by design
Data subject consent
The Regulations make it clear that a data subject’s consent to process their personal data must be freely given, informed, specific and unambiguous, demonstrated by either a statement or clear affirmative action. It can be withdrawn and “explicit” consent must be given for sensitive data. The data controller must be able to demonstrate such consent was provided. In determining whether consent has been freely given the guidelines suggest that data authorities will take into consideration whether consent has been freely given – for example where e-commerce services are made conditional upon agreeing to a companies’ privacy policy then this is unlikely to be regarded as freely provided consent. Where data subject’s personal data is processed for direct marketing, the data subject will have the right to object.Read more on data:
- Barclays encourages UK SMEs to use big data for growth with new online service
- Companies that safeguard data privacy will reap rewards
- Security of personal data – are you complying with your obligations?
Notification of a data breach
Currently there is as a general rule no absolute requirement on companies to notify Information Commissioner of a breach of the Data Protection Act. The regulations change this. As from 2018, any breach or suspect breach must be notified to the DP Authority without undue delay and where possible within 72 hours of awareness.Fines
No more notification requirements
Its not all doom and gloom for businesses. One welcome change is the removal of the requirement to notify or register (and pay a fee) with the DP Authority. The onus is now on the individual company to self-police. Read on to find out what your company should be doing now to prepare.Share this story
Pages: 1 2