Understand the new compliance era
The GDPR brings fundamental changes to the data protection compliance regime and is “the biggest thing to happen in the privacy arena in 20 years”. (Lisa Sotto, Hunton & Williams).
The GDPR is extra-territorial in scope and will directly apply to Island businesses and those “operating in Europe or targeting European customers need to get their act together and start preparing for the new regime.” (Eduardo Ustaran, Hogan Lovells LLP)
Boards and senior management teams will be held accountable and the “new law gives directors 20 million reasons” to comply. (Christopher Graham, UK Information Commissioner)
Failure to comply may result in a European data protection authority imposing a fine of up to €20m or 4% global turnover and individual Directors or senior managers may also be prosecuted for non-compliance.
The “level of risk … has catapulted data protection into the boardroom”. (Jane Finlayson-Brown, Allen & Overy)
Island businesses have two years to wake up to the new era of data protection compliance and get measures in place.
The main points are:
- Documenting and evidencing compliance
- Making and maintaining records of processing
- Stricter security requirements
- Stricter rules on transparency and data retention
- Data minimisation
- Explicit rules on ‘consent’
- New rules for children’s data
- New rules for processors
- Mandatory data breach reporting
- Restrictions on profiling
- Inform colleagues
- Obtain boardroom support, including allocation of
- Requisite skills/knowledge
- Identify a leader/team; and
- Determine an approach to compliance