EU 2016/679 What is the GDPR? The GDPR defines precise rules on the management of security incidents such as data breaches, the use and erasing of collected personal data, and the keeping of records relating to data processing activities. When did the GDPR take effect? The General Data Protection Regulation (GDPR), took effect on the 25th of May 2018, and last year (2023) there were over a billion euros in fines for breaches, demonstrating there is still some work to do to ensure that everyone is in compliance. What are the rules around the reporting of data breaches? The regulation requires that personal data breaches (this includes all personal data such as contact details) must be reported to the competent supervisory authority within 72 hours. Data subjects must also be notified. Violation of the duty to report data breaches, can be punished by fines of up to EUR 1 million or, in case of companies, of up to 2 % of the total global annual turnover of the preceding financial year, whichever is the higher. What information am I obliged to provide when collecting personal data from subjects? The identity of the controller and deputy controller of the data and their contact details, the purpose and categories of recipient, contact details of the data protection officer, the controller’s legitimate interests, any intention to transfer data to a third country or to an international organisation (and the Commission’s associated adequacy decision), how long the data will be stored, the data subjects’ rights to information, erasure, correction, restriction the right to revoke consent, the right to appeal to a supervisory authority and so forth. Additionally, the reasoning behind, and consequences of, any profiling activities that may be performed. How long can personal data be held for? Personal data must be held only for as long as it is necessary to carry out the purpose for which the data is processed. Once the data is no longer needed for the purpose for which it was collected, personal data must be deleted. If data subjects withdraw their consent to the use or processing of their personal data, organizations are obliged to delete the relevant information. Under this regulation, when is it lawful to process personal data? This is only lawful when at least one of the following criteria has been fulfilled:
The data subject is entitled to revoke their consent at any time. This process must be as simple as granting consent. The awarding of a contract, or provision of a service, may not be made dependent on the data subject’s consent, unless the data processing to which the data subject is to give his consent is required in order to fulfill the contract. The processing of sensitive data is forbidden as a matter of principle unless the data subject’s consent has been obtained. What are my requirements in terms of protecting personal data? The controller responsible for processing is required to take appropriate technical and organisational measures in order to ensure that personal data is processed in conformity with this regulation and must provide evidence that this is the case. A (documented) risk assessment is required. Need some help to get started or to review your existing activities for compliance? Get in touch. www.rbdevelopment.co.nz/contact __________ Comments are closed.
|