The key changes and additional requirements introduced by the GDPR are:
Individuals have the right
Therefore, organisations must determine how they will enable individuals to exercise these rights and align their processes accordingly.
Businesses must only use other parties to process personal data that provide sufficient guarantees with respect to the implementation of appropriate security measures to satisfy the requirements of the GDPR. These service providers will now be held accountable for their own level of appropriate security, must document their processing to the same extent under the GDPR and must obtain prior consent to employ sub-processors.
Therefore, organizations need to review and amend their contracts with these parties to address the changes in responsibilities.
Organizations (may) need to appoint a data protection officer to be responsible for implementing and monitoring compliance with the GDPR and to carry out assessments of an organization’s data processing in certain circumstances. Organizations are required to map their processing of personal data and undertake data protection impact assessments for higher risk processing.
In addition to businesses that are established in the European Union, also organizations that are located outside the EU, but process personal data in relation to their offer of goods or services to individuals within the EU (or as a result of monitoring individuals within the EU) have to comply with European data protection law.
Therefore, non-EU based businesses need to analyse whether they will be subject to the new rules and how they will comply. In particular they have to determine, whether they have to designate a representative within the EU according to Art. 27 GDPR. For more information see our legal service offer GDPR EU Representative
Organizations have to notify the relevant European data protection authority of a breach without undue delay and where feasible within 72 hours. A notification must also be made to the individuals affected without undue delay where there is a high risk to the individuals concerned.
The maximum fine for a breach of European data protection law will be substantially increased to up to 4% of an enterprise’s worldwide turnover or up to €20 million per infringement, whichever is higher.
We assist you in establishing and maintaining privacy policies, procedures, training tools and cross-functional programs regarding the protection of your company’s personal data, that are tailored to your individual requirements. Once these privacy structures are in place, we work with you on an ongoing basis to update them as laws and regulations, or the company’s own business needs, evolve.
We review and advise you on whether the contracts that you have in place with parties to whom you transfer personal data or from which you process personal data as a contractor (commissioned data processing) enable your business to comply with its requirements under the GDPR. This includes updating and renegotiating those contracts if necessary.
We examine which personal data is transferred internationally by your business and advise you on the extent to which this complies with the GDPR. This includes the drafting of model contracts and Binding Corporate Rules (BCR) to create and implement measures that will enable your business to carry out those transfers lawfully.
We stay up to date on all EU data breach notification requirements and can rapidly advise you on whether disclosure – also to affected individuals – is required.