
Image: Shutterstock
Earlier in 2016, the EU regulators adopted a new EU data protection framework, which will come into force in all EU countries on 25 May 2018. It takes the form of a regulation, which means it is binding on all member states, without the need for national legislation. The new General Data Protection Regulation (GDPR) replaces the current directive and places new and heavy obligations on those affected. In order to comply, all relevant firms within the EU will need to invest considerably. But before we look at the likely impact of Brexit on these new rules, let us take a brief look at what is involved here. Data processors outside the EU – The new GDPR includes all data controllers and processors that are located outside the EU, if some (or all) processing activities are directed at data subjects within the EU. Under current legislation, this is not the case. Under the new rules, many external organisations will be required to appoint a representative in the EU.- Carrying out a risk assessment on processing procedures. Controllers must implement new procedures, identify high-risk operations and consider the potential risks. There are significant fines for getting this wrong;
- Implementing data protection by design and by default – Ensure that privacy for data subjects is properly protected;
- Keeping a detailed written record of processing activities carried out by each controller;
- Appointing a Data Protection Officer, (DPO) if the processing is carried out by a public authority, or is considered to be on a “large scale”;
- Appointing an EU representative if the organisation is not established in the EU;
- Notifying any data breach to the Data Protection Authority (DPA) within 72 hours. In most circumstances the breach should also be notified to affected subjects without undue delay;
- Providing information to data subjects at the same time as the data is obtained. Existing procedures that provide for “fair processing notice” will need to be checked, as the new requirements in the GDPR are much more detailed and demanding; and
- Obtaining the consent to the processing of a subject’s personal data. Consent must be as simple to withdraw it as it was to give in the first place. Explicit consent must be obtained for the processing of sensitive data. Existing consents will only apply if they comply with the new conditions
Share this story
Pages: 1 2