Principle GDPR definitions that will have a considerable impact on the IT, Data and security policies of the organisation.
Data Subjects have the right to transport their personal information (data) from one organisation to the next. The personal data must be provided to the Data Subjects in a structured, commonly used and machine-readable format.
Data breach notification
When a security breach occurs, the breach must be reported to the Supervisory Authority within 72 hours. If the security breach is likely to result in a high risk for the rights and freedom of Data Subjects than Data Subjects must also be notified about the breach.
Organisations must keep a list (inventory) of all personal data processed. For example, it should include the purposes of the processing, whether or not the personal data is exported and all third parties are receiving the data.
Data protection by design and by default
- Data protection by design. When creating or designing a new system, process, service, etc. that processes personal data, organisations need to ensure that data protection considerations are taken into account starting from the early stages of the design process.
- Data protection by default. When the system includes choices for Data Subjects on how much personal data he shares with others, the default setting should be the most privacy friendly.
Currently, all compliance burden on privacy is with the controller. The processor is now directly responsible and accountable. The processor must appoint a Data Protection Officer and keep records of all their processing activities they perform on behalf of the client. Data Processors and Data Controllers are now jointly and severally liable.
Marks and Seals - Approved certification mechanism
GDPR introduces certification mechanisms and tools so that the organisations can demonstrate compliance with the GDPR.
Right to be forgotten
The data subject's right to erasure of his personal data already exists in the current Data Protection Directive. All organisations that process personal data must remove all of that data if one of six conditions are met. For example, personal data must be deleted when it is clear that data have been processed unlawfully or when the Data Subject withdraws previously given consent.
The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify high risks to the privacy rights of individuals when processing their personal data. When these are identified, an organisation should formulate measures to address these risks.
Proper information security procedures, ensures confidentiality, integrity, availability and resilience of processing systems and services has always been a part of privacy legislation. The GDPR specifically mentions pseudonymisation and encryption of personal data as preferred security measures.
Accountability and data governance
Adherence to lawfulness, fairness, purpose limitation, accountability and transparency are the IT governance and management components and responsibilities. The organisation to be must be able to prove compliance with the GDPR.
The Lead Supervisory Authority will be the supervisory authority of the country in which the data controller or processor has its main establishment.
GDPR specifically regulates fines. Less serious violations; the maximum, is € 10 million or 2% of the total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%.
The above definitions describe some changes that will have a considerable impact on the IT, Data and security policies of the organisation. The complete GDPR is over two hundred pages, so the above is not an exhaustive list. Please refer to the official text for the authoritative source.