27 July, 2017
The location of data processing equipment is no longer a determining factor - i.e., worldwide businesses can not avoid the application of the GDPR by locating processing equipment outside the EU. In the category of "data protection by design", there is a general obligation to "implement technical and organisational measures to show that [a company] has considered and integrated data protection into processing activities". Individuals will be required to clearly give their affirmative consent - e.g., it is expected that website tick-boxes must be "opt-in" and must not be pre-ticked.
"These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organisation out of business". With the right tools and an organisation-wide commitment, even the largest company can gain control of its sensitive data and protect itself from hackers, spies, and government sanctions. This will particularly impact websites and apps targeted at children. In fact, research firm PWC states that 92% of USA businesses list GDPR as a priority because they are working internationally or have European Union students that visit. There is also a "right to erasure" that provides an individual a right to have personal data erased if it is "no longer necessary in relation to the objective for which it was originally collected/processed".
Processors - Data processors will be directly subject to the provisions of the GDPR.
In Singapore, a breach of its data protection law could result in a potential fine of S$1 million. Meaning that they aren't actually compliant. According to recent research cyber-attacks can cost businesses anywhere from $14.00 to $2.35million per incident and data breaches and attacks are growing all the time. The risk of not meeting GDPR requirement can be cost prohibitive in other ways. However, as most breaches could arguably result in a risk to an individual, further guidance is now being sought on this point.
The EU Commission may identify specific jurisdictions which are deemed to have adequate data protection laws in place and to permit data transfers to those jurisdictions. The EU and US have negotiated a new data transfer agreement (the Privacy Shield) to replace their previous transfer arrangements.
In the absence of a relevant decision by the European Commission, the transfer of data to a third country without the need for the data protection authority's consent may take place only if adequate safeguards are provided, such as the use of Binding Corporate Rules (BCR) approved by the competent authority for the protection of personal data (a solution particularly favorable for global corporations) or standard contractual clauses adopted by the European Commission (controller-controller or controller-processor clauses) or the use of an approved code of conduct or certification mechanism. Binding corporate rules must be approved by the Information Commissioner's Office.
Labour MEP and head of the committee Claude Moraes said: "Several key positions still need to be filled under the new United States administration in order to meet the conditions of the adequacy decision". Infringement on certain articles of GDPR carry fines of up to €20M or up to 4% of total global revenue of the preceding year, whichever is greater. The rules also broadly define "important data" to include information that relates to national security, economic development, or social or public interest. The maximum fine for breach of the UK's current data protection legislation is set at £500,000.
Those not compliant by next May could face eye-watering financial punishment for either themselves or their customers, and the event, taking place on 5 and 6 September in central London, will shed light on the challenges and requirements faced by the channel over the legislation in the coming eight months.
Understand the new regulatory framework and, where relevant, identity the jurisdiction that will act as the "lead supervisory authority" of the business. Our research showed that nine per cent of organisations have established a dedicated team for GDPR compliance, while 35 per cent are handling it through existing compliance teams.
Provide mechanism to easily satisfy a data subject's request for personal data in a commonly used format.
