The mention of GDPR is everywhere. And for good reason. On 25 May 2018, a new Data Protection law comes into play. The General Data Protection Regulation becomes the upgrade to the current Data Protection Act (1998) and gives new rights to individuals and their personal data. But there’s a knock on effect – businesses who are in the habit of storing and using consumer and customer data have new obligations to consider on the way they hold, and use that personal data.
Following on from a blog published by our affiliate CFPro Ventures earlier this week, we continue the discussion through a graphic produced by Tim Clements & the IAPP, which perfectly sums up the key responsibilities of all involved in the changes.
Here’s what you need to know.
What organisations have to do:
- Keep records of all processing of personal information
- Institute safeguards for cross-border data transfers
- Maintain appropriate data security
- Collect personal data lawfully and fairly, and where relevant, get appropriate consent and provide notification of personal data processing activities
- Get a parent’s consent to collect data for children under 16
- Consult with regulators before certain processing activities
- Provide appropriate data protection training to personnel having permanent or regular access to personal data
- Conduct Data Protection Impact Assessments on new processing activities
- Implement Data Protection-by-Design (Privacy “baked-in”)
- Take responsibility for the security and processing activities of third-party vendors
- Appoint a Data Protection Officer (if you regularly process lots of data, or particularly sensitive data)
- Be able to demonstrate compliance on demand
- Notify data protection agencies and affected individuals of data breaches in certain circumstances
What individuals can do
- Withdraw consent for processing
- Request a copy of all their data & request corrections if wrong
- Request the ability to move their data to a different organisation
- Request that their information is deleted when there’s no purpose to retain it.
- Object to automated decision-making processes, including profiling.
What Regulators can do
- Ask for records of processing activities and proof of steps taken to comply with GDPR
- Impose temporary data processing bans, require data breach notification, or order erasure of personal data
- Suspend cross-border data flows
- Enforce penalties of up to 20 million Euros or 4% of annual revenues for non-compliance
CFPro is proud to be affiliated with CFPro Ventures and our extended partner network that deliver critical operational and strategic infrastructure to businesses who are aiming to grow. While we help you focus on long-term growth, we also help you ensure that what you do day-to-day keeps you compliant and in line with expectations placed on you by industry standards, your shareholders and your greater client base. If you want to know more about how we can help you, get in touch with us today.