What is GDPR?
Simply: Much stricter Compliance
GDPR comes into power on 25th of May 2018.
The countdown to GDPR compliance has begun. While May 25, 2018 seems like a long time away, the process of building a plan, securing budget, and implementing a program can take several quarters or more.
Six key requirements
Do you run a small or medium enterprise?
You have obligation to prepare for GDPR
Scope: expansion of who is subject to the regulation, who is protected by the regulation, and who is enforcing the regulation
Data: new definitions of “personal data”, “sensitive personal data”, and the introduction of pseudonymized data processing
Consent: consent requirements for data processing and explicit consent requirements for profiling data (i.e., analysing personal preferences or behaviour)
Individual Rights: including the “right to be forgotten” for erasure of online information and “data portability” to easily transfer data to another provider
International Data Transfer: restrictions to personal data transfer outside of EEA unless adequacy requirements are met (e.g., via EU-US Privacy Shield once ratified, Model Contract Clauses, Binding Corporate Rules)
Data Breach Notification: notification to the Supervisory Authority within 72 hours and if there is potential for serious harm to individuals, notification must be “without undue delay”
Accountability: governance requirements such as audits and Data Protection Officers (DPOs), recognition of seals and certification programs as a route to demonstrate GDPR compliance