Breach notification – An important requirement that companies must notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects may also have to be notified, but only if the breached data poses a “high risk to their rights and freedoms”
Fines – The higher fines are generally applied if the rights of individuals have been breached, if there are issues around international transfer and where there is non-compliance with the regulator. The second tier of fines, which are still significant, refer to more procedural and operational failures.
The Right to Erasure and To Be Forgotten –The GDPR includes rights for personal data published on the web. This relates to the right to stay out of the public view and “be forgotten”.
Extraterritoriality – This new principle says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects, e.g. through a website, then all the requirements of the GDPR will apply. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
Privacy by Design (PbD) – The new law makes explicit the principles of minimising data collection, retention and gaining consent from consumers when processing data.
Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies must first analyse the risks to their privacy.
The new requirements will mean changes for all organisations