The new legislation brings about some specific changes for business, the most significant being the monetary implications on non compliance.
Introduction of significant Fines
Tier One: Up to €10 million or up to 2% of annual worldwide turnover of the parent company, the higher amount
Tier Two: Up to €20 million or up to 4% of annual worldwide turnover of the parent company, the higher amount
The right to erasure
If an individual no longer wishes for their data be processed, and there are no legitimate grounds for retaining it, the data must be deleted. The onus is on data controllers to prove that they need to keep the data, not on the data subject.
Mandatory notification of a data breach
Organizations will now be required to report a data breach to the Data Protection Commissioner, within 72 hours of becoming aware of the breach.
Portability of data
The regulations propose the right that data subjects will be able to transfer their personal data in a commonly-used electronic format from one data controller to another without hindrance from the original controller.
Privacy by design
This is one of the fundamental ideas of the new regulation and one that aims to change an organizations overall attitude and planning towards data protection. Article 23 stipulates that Data Protection should be designed into the development of business processes, so privacy is a consideration right from the start of project
Appointment of a Data Protection officer (DPO)
Certain activities, such as large scale monitoring of individuals or processing of special category data, require an organization to appoint a DPO. Even if you don’t need to, it’s good practice to appoint a DPO with knowledge of information security and an understanding of data protection law.