GDPR has brought substantial changes to data protection rules

EU's General data protection regulation (GDPR) significantly extends duties for all organizations processing personal data.
At the same, GDPR introduces stricter controls and significantly higher fines.
 

Data protection principles under GDPR

  • Lawfulness and transparency

    Process data collected lawfully, for legitimate purposes, in the necessary extent and only for a necessary period. Create transparent privacy policy describing your processing to individuals.

  • Security
    of personal data

    Secure personal data in such a way that it prevents them from theft, loss or misuse or any other unlawful use (information security, technical, personal and organizational measures).

  • Accountability

    Maintain internal documentation including records of processing activities. Incorporate privacy into processes, services and products by design and by default. In case of high-risk operations conduct data protection impact assessment.

  • Data breach
    notification

    Notify the supervisory authority in case of a personal data breach with risks to individuals within 72 hours, if there are high risks directly notify affected individuals.

  • Data protection officer

    Data protection officer (DPO) helps with data protection compliance. DPO is required for organizations with regular and systematic monitoring of data subjects on a large scale or processing special categories of data (e.g. healt related data) on a large scale. DPO is mandatory for public authorities or bodies, too.

  • High
    fines

    Breaching the data protection obligations may result in significant fines up to €20 milion or 4 % of the worldwide annual turnover of the company.

GDPR and individual data protection rights

GDPR expands individual's data protection rights relating to their personal data. Let's look at some of the examples:
 

  • Consent

    Must be freely given by affirmative action for a specific purpose about which the individual is sufficiently informed. No preticked boxes or hiding in other documents like terms of use etc. Can always be withdrawn and organizations must provide an easy way to do that.

  • Right to be informed

    Individuals have the right to be informed about the collection and use of their personal data including purposes for processing their personal data, retention periods for that personal data, and who it will be shared with.

  • Right of access

    Right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information about processing of their personal data.

  • Right to erasure ('to be forgotten')

    Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

  • Right to portability

    Right to portability allows individuals to obtain and reuse their personal data in a machine-readable format. The right only applies to information which is processed by automated means and which an individual has provided to a company on the basis of consent or performance of contract.

  • Supervision

    Individuals may contact supervisory authorities with their complaints or concerns.

Would you like to ask something?

Would you like to know more about Privatry and what we do? Contact us!

Read our privacy policy