The General Data Protection Regulation, also known as the GDPR, came into force on 25 May 2018. The GDPR makes a major contribution to the protection of individual privacy, an important, and particularly topical, basic right. From 25 May 2018 the same privacy legislation applies throughout the EU.
Among the provisions of the GDPR are:
- strengthening and expanding privacy rights;
- more responsibilities for organisations.
As a consequence of this organisations must comply with the six basic principles of the GDPR:
Record of Processing Activities
Every organisation must be able to demonstrate transparently how and for what purpose personal data is collected and with whom it is shared.
Data Privacy Impact Assessment (DPIA)
The GDPR is also based on an organisation bearing its own responsibility. This means that in defined cases the organisation carries out triages to determine the risk level. If a triage shows there is a high risk in the area of data protection, the organisation is obliged to carry out a DPIA – Data Privacy Impact Assessment.
Data breach notification
The GDPR requires organisations to set up a Data Beach Register. Incidents and data breaches are to be registered in it and in some cases they must be notified to the Personal Data Protection Authority.
Data Subjects Rights
Persons have the right of access to and rectification and erasure of information that is known about them in your organisation. What’s more, they have the right to object or, on expiry of the commercial relationship, to be forgotten or to take data away. All this falls under the SAR (Subject Access Request).
Data Processing Agreement
Where an organisation shares personal data with a supplier (because for example it has outsourced customer service), you are obliged to conclude a data processing agreement.
Privacy by Design and Privacy by Default
From 25 May 2018 the impact every business or IT initiative has on data protection must be considered.