The new European Union General Data Protection Regulation (GDPR) will be effective in May 25th, 2018. Before that time, companies must adapt to the new regulation; otherwise, in case of unfulfilment, they will have to pay fines from up to 20 million euros.
This article sums up the key issues of the new Law. Some aspects work as a continuation of the previous regulation, but they are also significant new developments. Continue reading to know them!
Data Protection Officer (DPO)
GDPR introduces the obligation for some enterprises to set up a Data Protection Officer, that can be an employee or an external consultant.
The DPO has the responsibility to monitor compliance of the GDPR, by letting the employees know about their obligations and the measures, terms and deadlines that they must fulfill.
The new regulation redefines the notion of a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
This definition does not take into account whether the breach damages individuals. However, it makes clear that, in case of data breach, individuals must notify Data Protection Authorities (DPA) not later than 72 hours after having become aware of it.
Privacy by design
The new Law sets the explicit recognition of ‘privacy by design’. This concept means that companies will now have the specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.
Rights of data subjects
GDPR provides data subjects with a wide array of rights. One of the most relevant ones is the Right to erasure (the “right to be forgotten”) that entitles data subjects to require a controller to delete their personal data if its continued processing is not justified.
Another one is the Right of data portability, that gives individuals the right to receive a copy of their personal data in a commonly used machine-readable format.
The new regulation specially cares about personal data of children, especially when it is used on the Internet and social media.
Finally, it has to be highlighted that the regulation has to be accomplished by all the European companies, as well as by international enterprises that manage data of users who are resident in the EU.