General Data Protection Act (GDPR)

Key points

• Comes to force on 25th May 2018
• Applies if the data controller or processor (organisation) or the data subject (person) is based in the EU
• Applies to organisations based outside EU if they process personal data of EU residents
• According to the recent ruling of European Court of Justice, when your system or site stores, collects or processess IP addresses, it must be treated as personal data

Requirements

• Consent must be explicit for data collection and usage. Organizations need to prove that data subject consented. Consent may be withdrawn. Process must be transparent.
• Data protection by design and by default requires that data protection is designed into processess, products and services, since planning period, throgh implementation, deployment and end of life.
• Data protection (privacy) settings must be set at a highest possible level - by default
• Every data controller or processor operating in a systematic and regular way should be assisted by Data Protection Officer - a trained person with expert knowledge to ensure internal compliance with GDPR

Data breaches, crisis management

• Data Protection Officer (DPO) is legally obliged to notify the Supervisory Authority (in UK: ICO) as soon as they become aware of the data breach.
• If the data breach has big risk impact on the affected individuals, they will have to be notified about the breach and risks.
• Sanctions for non-compliance: from a warning in writing (non-intentional non-compliance) up to a fine up to 20,000,000 EUR (or up to 4% total global revenue), whichever is higher
• Regular Privacy Impact Assessments and Data Protection Audits may be a good idea