The changes introduced by the GDPR in 2018 are substantial and aim for a higher level of data protection. The Regulation is again a wide-ranging piece of legislation passed by the EU and introduces new concepts like the ‘right to be forgotten’ and data portability (to call out only a few) which will take some getting used to.
Four GDPR rights
In general, there are four new rights for the individual:
- Rectification, this concerns the right to see your own data and to have it rectified;
- Erasure, popular under the term “right to be forgotten” as this concerns the right to have your data erased;
- Data Portability, which is the right to have your data transferred to a different processor/controller;
- Objection for direct marketing concerns the right to have a controller and processor stop processing for the purpose of direct marketing.
I have listed an overview of the key requirements from two perspectives, the individual rights and the obligations of the organization.
The rights of the individual:
- Rectification (NEW)
- Erasure (NEW)
- Data Portability (NEW)
- Objection –Absolute for direct marketing (NEW)
- Restrict processing (put on hold)
- Automated decisions and profiling
- Access to data
- Remedy from supervisory body/court
- Compensation for Damage
- Compensation for Distress
The obligations of the organization:
- Consent harder to obtain/prove
- Privacy notices more detailed/clearer
- Proactively Demonstrate Compliance
- Breach Notification (72 hours) -To individual and regulator
- Appointment of Data Protection Officer (250+, or high-risk processing)
- Privacy by Design
- Privacy Impact Assessments
- More obligations for Processors (Joint Controllership)
- Ensure that relevant departments know that the law is changing, and anticipate the consequences of GDPR.
- Document what personal data is retained, what the sources are and with whom it is shared.
- View current privacy notices, and make any necessary changes.
- Identify and document the legal basis for any type of activity of the data processing.
- Make sure that the procedures are in place to detect, report and investigate data breaches.
- Assign a data protection officer, who takes responsibility for compliance with the principles and rules regarding the protection of personal data.
If you have any questions about GDPR, please get in contact with us or call us at: +31 (0)35 699 06 99. We’re happy to help you.