Overview of the key changes under GDPR:
Increased Territorial Scope: Apply to the processing of personal data of data subjects residing in the Union by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not;
Data Protection Officers: DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences;
Privacy by design: “The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects” Art.23;
Data Portability: The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller;
Penalties: (maximum fine) up to 4% of annual global turnover or €20 Million – not having sufficient customer consent to process data or violating the core of Privacy by Design concepts;
Consent: The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent;
Breach Notification: In all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals” breach notification must be done within 72 hours of first having become aware of the breach;
Right to Access & Right to be forgotten: Data subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose; Moreover, data subjects can have the data controller erase his/her personal data, and potentially have third parties halt processing of the data.