If you are then you’re a part of a small 5% Minority. Here’s what you need to know…
Under GDPR organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be enforced for the most serious violations. There is a tiered approach to fines, a company can be fined 2% for not having their records in order (article 28). They can also be fined for not informing the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
The conditions for consent have been strengthened, and companies will no longer be able to use complicated and illegible terms and conditions as the request for consent. Information must be given in an clear and easily accessible form, with the purpose for data processing clearly outlined. Consent must also be as easy to withdraw consent as it is to give it.
Data Subject Rights
Breach notification will become mandatory under GDPR. A notification must be made where a breach could “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will be required to notify their customers “without undue delay” after first becoming aware of a data breach.
Right to Access
Data subjects will now be able to request any personal data that a data controller might hold about them. They will also be able to know where the information is being stored and for what purpose. The data controller will then provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten allows the data subject to have the controller erase their personal data. The conditions for this includes the data no longer being relevant to original purposes, or a data subject is withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
GDPR introduces data portability. This is the right for a data subject to receive their personal data from the controller. This will then be provided in a ‘commonly used and machine readable format’. They also have the right to transmit that data to another controller.
For more information on legislation that could affect your business, check out our resources page here.