The key facts that organisations need to know about the GDPR are:
The GDPR may apply to organisations anywhere in the world that process information relating to European residents. Use our checklist to indicate if it applies to your organisation.
The GDPR widens the definition of personal information. Personal information is defined as any information that relates to an identified or identifiable living person.
The GDPR tightens the rules for obtaining valid consent to using personal information. Organisations must be able to prove they have clear, freely given and affirmative consent.
The GDPR makes the appointment of a Data Protection Officer (DPO) mandatory for certain organisations. TwoBlackLabs can provide a Virtual Data Protection Officer for your organisation.
The GDPR introduces mandatory Privacy Impact Assessments (PIAs). Organisations are required to conduct PIAs where the inherent privacy risks are high.
The GDPR introduces a common data breach notification requirement. The regulation requires organisations to notify their Data Protection Authority of data breaches within 72 hours of discovering it unless it is unlikely to result in risk to individuals.
The GDPR introduces the right to be forgotten. This means organisations must delete all information relating to the individual if requested.
The GDPR expands liability beyond controlling companies. Any organisation that handles personal information even if on behalf of a client is now liable. Fines extend to 4% of worldwide turnover or 20 million euros which ever is the larger.
The GDPR requires privacy by design. Privacy must be included in systems and processes by design.
The GDPR introduces the concept of a one-stop shop. Any European Data Protection Authority can now take action against organisations, regardless of where in the world the organisation is based.
If you believe the GDPR may apply to your organisation and you need further assistance TwoBlackLabs offers a range of GDPR services.