GDPR – key points

GDPR, or the General Data Protection Regulation is on the top of mind of many managers in business community. The GDPR is due to come into force in 2018 and has the potential to significantly alter the way businesses handle data. At over 200 pages long, the regulation is possibly the most wide-ranging piece of legislation passed, ever.

Notable GDPR Implications

The introduction of a new or a revamp of existing concepts in GDPR will cause some major changes to the operations of companies. These include:

Consent for children: In order to use data relating to children, companies will need to seek parental consent. Children are identified as ‘vulnerable individuals’ and deserving of ‘specific protection.’
Personal & Sensitive Data: The definition of what is personal or sensitive data has been expanded to include genetic and biometric data. Relevant to this is the introduction of tokenization as a privacy tool.

Breach Communication law: A new security breach communication law will be introduced for all data controllers.

Data Protection by DesignBusinesses will need to demonstrate that technical and procedural processes which adhere to GDPR requirement have been implemented s at an early-stage.

Enhanced individual rights: Includes the right to be forgotten, the right to request the porting of personal data to an alternative service provider, amongst others.

Subject access: Upon request, data controllers must confirm if they have an individual’s personal data and provide a copy within one month. This will require organisations to assess its ability to provide data in a timely and accurate manner.

Transferring data outside of the EEA: Under GDPR, transferring of personal data to countries outside of the EEA will continue to be restricted and will remain a significant issue for multinational organisations.

Are you ready?

These are just some of the high level changes that GDPR will bring in for European businesses. As more businesses delve into the details, more challenges will undoubtedly emerge.
Irish Data Protection Commisioner has issued a guidance note.
The UK’s Information Commissioner’s Office has released guidance on how companies can prepare.

Some companies I spoke to said they were preparing to appoint Data Privacy Officers across the business to assist with GDPR. Others were engaging external consultants to help with the implementation. It looks like the GDPR will remain a talking point for many years to come.