The “Ten Commandments” of the General Data Protection Regulation (GDPR)
On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect in the European Union. This is just days after the Jewish holiday of Shavuos commemorating the giving of the Ten Commandments. Coincidentally or not, the Locke Lord law firm has published a list of highlights of this regulation, which could be considered the “Ten Commandments” of the GDPR.
- The GDPR applies worldwide. Businesses that offer goods or services to individuals in the EU, or monitor them on the Internet, are subject to this regulation even if they have no physical or legal presence in the EU.
- Breach of the GDPR will cost you. Authorities have the power to levy fines up to 20 million euros or 4% of an organization’s gross worldwide revenue, whichever is greater. Individuals can also claim compensation.
- Data subjects have more rights. These include obtaining copies of their personal data, have it sent to another provider or object to its processing. There is also a “right to be forgotten” – a request to erase a person’s data.
- You must report data breaches. In most cases, authorities must be notified within 72 hours. In serious cases, potentially affected individuals must be notified.
- You must provide individuals with information about how their data is processed in a transparent, intelligible and easily accessible way.
- Subjects must consent to the processing of personal data. Separate consents are required for different activities. Individuals must be able to withdraw consent. Parental consent is required for children up to at least 13 and potentially 15.
- As a processor, you are liable for breaches. Data processors now have many of the same obligations as data controllers.
- If you process or monitor large amounts of data you need a data protection officer. DPOs must carry out a variety of functions, have suitable skills and report to upper management. An estimated 28,000 DPOs will be needed in Europe alone.
- If you engage in high-risk processing you must carry out a Privacy Impact Assessment.
- Organizations must have appropriate cybersecurity measures in place. This includes technical certification, organizational policies, and staff training.