GDPR: So What Has Changed?
Differences under GDPR
As we’ve discussed, many of the Articles of the GDPR are very similar to earlier regulations. But what are the main differences? Have you noticed the mass-overhaul of privacy notices across the web? You may be aware that the amount of information an organisation must provide to its website visitors, app users, even brick and mortar customers, is substantially more. Data Subjects have always had the right to demand a copy of whatever information an organisation holds on them. However now, the time in which we are obliged to respond to these requests has been reduced, (previously 40 days, now 1 month,) and this information must now be provided free of charge. (There are some finer details we cover on this in our section on Subject Access Requests.)
In the event of a data breach, there are changes made to our notification responsibilities. The Data Protection Authority in question must be notified immediately. If the information breach is deemed “high-risk” the subjects themselves must also be notified. This is what we refer to as going public. As you can imagine, the indirect losses associated with going public can be substantial. Brand reputation would plummet. Imagine how you would feel if somebody had leaked your entrusted personal data. In the event of a data breach the time period in which you must notify a supervisory authority is now 72 hours. This may be a staggered release of information as you investigate the breach, which we cover in our Personal Data Breach Notification Section.
Under GDPR the scope of what is considered Personal Data have widened. Biometric and Genetic Data is now considered Personal Information. As is location information, IP addresses and cookies now all play a role. This can initially be a tricky set of technologies to get your head around, but in our GDPR Technologies section we give a thousand foot overview and put it in best-practice terms, giving real world examples of what other companies are doing, (right and wrong,) so you can make an informed & pragmatic decision for your company.
One of the enhanced rights brought in with the GDPR is people’s “Right to Be Forgotten”. We cover the ins and outs of this right along with some real-world examples of fines levied on companies who “conveniently forgot” that data subjects had previously opted-out of their email marketing. We also show practical erasure techniques that you can quickly adopt and have your staff follow.