Companies in breach of the GDPR regulation can be fined up to 4% of annual global turnover or €20 million, whatever is higher. That is the maximum fine to be imposed for the serious infringements such as not having customer consent to collect and to process customer data or violating the core of privacy by design.
Personal data is defined as any information related to a person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be a name, a photo, an email address, content from social networking, medical information, or a computer IP address, an identification number, location data, online identifier or to one or more factors specific to the physical, genetic, economic, cultural or social identity of that person.
Data processor and a data controller
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Controllers and processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.” Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate compliance.
Consent must be explicit for data collected and the purposes data is used for. Consent for children must be given by the child’s parents or custodian, and it must be verifiable. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
The conditions for consent have been strengthened, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
Right to Access
Data subjects (EU residents) have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and where and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Data Erasure ( previously Right to be Forgotten)
The data subject has the right to request the data controller to erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Consent for Children
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Data Protection Officer (DPO)
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Data breaches notification
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'.