Some key points:
Personal Data has been refined
The EU GDPR enforces a strict and broad definition of personal data, referring to any information that can be used, on its own or in conjunction with other data, to identify an individual.
New Individual Rights
Organisations will have to disclose the intended use and duration of storage of the data required, and re-solicit permissions each time a new use of the data is proposed.
EU citizens will have management of their personal data, and will have the right to access, amend, request the deletion of, their personal data.
They will have the right to object to certain types of processing – profiling for market purposes, for example.
Mandatory Breach Notification
Under the new Regulations organisations are required to report data breaches to the individuals whose data was lost and to a supervisory authority within 72 hours. The data breached, and the preventative security measures in place at the time of the breach, must then be evaluated to assess repercussions and ensure future compliance.
Consequences will be severe for non-compliance; steep fines are being put in place. If violations occur, organisations could be either charged 4% of their global turnover or 20million euros, whichever is higher, previously £500,000.
Data Controllers, organisations who acquire EU Citizens’ Data and Data Processors, organisations who may manage, modify, store, or analyse that data on behalf of or in conjunction with the controllers, are jointly responsible for complying with the new rules.
Organisations are required to actively track how and where data are stored and used. This means that security must be built into products and processes through the use of risk management tools. A Data Protection Officer must be appointed if an organisation employs over 250 people.