10 changes in the new European Data Protection Regulations likely to impact your organisation
The UK Data Protection laws will be changing within 2-3 years, providing people with increased rights with their personal information, and organisations to have stricter documented processes, policies and practices.
Our advice – start taking steps now to minimise the impact.
Make sure you are prepared well in advance of the new Regulations coming into force, and to minimise the impact this may have on your business. Below are the Top ten changes.
Increase in Fines
The maximum fine level will increase from £500,000 to 100 million euros, 2-5% of annual global turnover – whichever is the greater.
Changes to Data Breach Notifications
All breaches must be logged and dealt with appropriately within 72 hours.
Explicit Consent Needed for Processing
Explicit consent from individuals will be needed to process their information.
Privacy by design
A documented framework must be in place for design and standards of data systems, processes, services etc. must be in place.
Stricter Requirements for Organisations Processing Data
Documenting data processing operations, information and data policies must be in place to demonstrate a culture of best practice.
Stricter Documentation Requirements for Data Sharing and Data Processing
Data sharing contracts or agreements with third party processors must be up to date and document the respective responsibilities of each party.
Data Protection Officer Requirement (employee or contractor)
All organisations must employ a Data Protection Officer if they:
- Are a Public Authority
- Employ 250 or more staff.
- Process or monitor people’s information
The Right to be Forgotten
Individuals will be able to demand the erasure of their records.
The Right to Object to Profiling
Individuals will have the right to not be subjected to profiling activities that ‘significantly affect’ them.
Removal of Organisational Ability to Charge a Fee for Subject Access Requests
Organisations will no longer be able to charge a fee on receipt of a Subject Access Request.
Melody Allsebrook Dip.RIMPC.dp
M2M Consultants Ltd
Melody is an established and experienced Data Protection and Information & Records Management specialist with 13 years’ experience of working within the Public Sector, and the owner and Director of her own information management and data protection consultancy and training company, M2M Consultants Ltd. Melody will be providing a regular blog giving the best practice guidance and advice to help organisations work practically and in compliance with data protection regulations and information management laws.