1. Tougher sanctions for non-compliance
Failure to comply with the statute can result in heavy fines and restitution—upwards of 4% of your global revenue or €20m, whichever is higher (Article 83(5) of the regulation); Supervisory Authority not required to impose fines but must ensure sanctions imposed are effective, proportionate and dissuasive.
2. More individual rights
The regulation makes it considerably easier for individuals to bring private claims against data controllers and processors.
The regulation also gives people the right to have their personal data corrected if inaccurate, expands their right to remove irrelevant or outdated information and outlines the 'right of erasure' or right to be forgotten.
3. Concept of Accountability
The regulation introduces the concept of accountability. It requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business.
4. Wider scope
Even if an organisation is not established within EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the EU.
5. Mandatory breach notifications
You must notify the Data Protection Commissioner within 72 hours where breach is likely to result in a risk to the rights and freedoms of a natural person. You must also notify the data subject of the breach unless the breach is unlikely to result in a risk to the rights and freedoms of a natural person and appropriate technical and organisational protection was in place at the time of the incident. If in doubt – report it.
To find out how we can help you with your data protection requirements, contact a member of our Data Protection team.