What is GDPR?
The EU General Data Protection Regulation (GDPR) will be enforced from 25 May 2018. Any organisation that processes the personal data of EU residents needs to be compliant.
The GDPR enhances the rights and principles already defined in the Directive and the DPA, however, it also introduces some more significant changes such as:
- A requirement to actively demonstrate compliance and document processing activities;
- Greater powers for supervisory authorities and increased reliefs available to data subjects. The Office of the Data Protection Commissioner(ODPC) will have the ability to issue fines for non-compliance for up to €10M or 2% of global turnover (whichever is the greater) for serious breaches and up to €20M or 4% of global turnover (whichever is the greater) for extremely serious breaches;
- Mandatory reporting of data privacy breaches to the appropriate supervisory authority;
- Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data;
- A requirement to complete Privacy Impact Assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.