In our last blog, we began looking at the key changes being introduced by the new data protection laws coming into force in the European Union (EU) from 25th May 2018. We explained how the automotive industry uses customer data at present and one of the areas of change requiring the industry’s immediate attention: customer consent.
You can read our last blog here: Key changes to Data Protection laws for automotive industry – Part 1
This week, we will look at the other key areas of change being introduced by the GDPR, including:
- Breach notification
- Right to access
- Right to be forgotten
- Data transfer
- Privacy by design
- Data Protection Officers (DPOs)
All this information and more can be found in our latest eBook – GDPR: The new data protection law – which you can download for free.
Under the GDPR, the maximum fine that can be imposed on businesses is 4% of annual global turnover or €20m (whichever is greater). This would be for the most serious infringements, such as insufficient customer consent to process data. The GDPR tiered approach to fines would see a company fined 2% for not having their records in order or not notifying the supervising authority and data subject about a breach, for example.
The GDPR will bring in a breach notification duty across the board. Not all breaches will have to be notified to the Information Commissioner’s Office (ICO) – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. A notice must be made within 72 hours of data controllers becoming aware of a breach, unless there are exceptional circumstances, which will have to be justified.
Right to access
Data subjects will have the right to obtain information on whether their personal data is being processed, where and for what purpose. As a data controller, you will have to provide a copy of a customer’s personal data upon request, free of charge, in an electronic format.
Right to be forgotten
The right to be forgotten is also known as data erasure. Data subjects – your customers – may request that you erase their personal data from your database. You would also be required to cease further circulation of the data and, potentially, have third parties halt processing of the data. Data erasure could also be required if the data you are holding is no longer relevant to the original purposes for processing.
A data subject will have the right to obtain their data from your business and transmit that data to another controller.
Privacy by design
Data controllers must effectively implement appropriate technical and organisational measures in order to meet the requirements of GDPR and protect the rights of data subjects. You must only hold and process data absolutely necessary for the purposes of collecting it and limit access to those needing it to carry out those purposes.
Data Protection Officers (DPOs)
One area where GDPR is attempting to reduce bureaucracy is in the necessity for DPOs. There will still be a need for internal record keeping, as previously mentioned. However, DPO appointment will only be mandatory for controllers and processors whose core activities consist around processing data, which require regular, systematic monitoring of data subjects on a large scale. In this instance, the DPO:
- Must have and maintain expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks
- Must report directly to the highest level of management
- Must not carry out any other tasks that could result in a conflict of interest.