The top 5 changes from the current legislation (Data Protection Acts 1988 and 2003) are:
1. Tougher sanctions for non-compliance
Failure to comply with the statute can result in heavy fines and restitution—upwards of 4% of your global revenue or €20m, whichever is higher (Article 83(5) of the regulation); Supervisory Authority not required to impose fines but must ensure sanctions imposed are effective, proportionate and dissuasive.
2. More individual rights
The regulation makes it considerably easier for individuals to bring private claims against data controllers and processors.
The Regulation also gives people the right to have their personal data corrected if inaccurate, and expands their right to remove irrelevant or outdated information and outlines the ‘right of erasure’ or Right to be forgotten.
3. Concept of Accountability
The regulation introduces the concept of accountability. It requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business.
4. Wider scope
Even if an organisation is not established within EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the EU;
5. Mandatory breach notifications
GDPR brings in mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the Data Protection Commissioner, typically within 72 hours, unless the data is anonymised or encrypted.
To find out how we can help you with your Data protection requirements contact a member of our Data Protection team.