Appointment of an independent Data Protection Officer (DPO)
If the core activities of your organisation involve the processing of sensitive personal data or processing that requires regular and systematic monitoring on large scale, a DPO needs to be appointed. The DPO is responsible for monitoring your GDPR compliance and acts as the point of contact for the Data Protection Authorities and stakeholders.
Data Protection Impact Assessment (DPIA)
A DPIA needs to be executed and documented when implementing new technologies or in the event that processing could result in an increased risk to the rights and freedoms of data subjects.
Privacy by default and design
Processing of personal data needs to be limited to the highest extent possible and privacy risk needs to be reduced to the maximum extent. This means that your products, services, systems and daily working practices need to be designed with privacy in mind.
Notification of a personal data breach
If a breach of personal data is likely to result in a risk to the rights and freedoms of data subjects, it must be reported to the competent Data Protection Authority within 72 hours. Communication with the data subjects might also be required.
Profiling gets tougher
Data subjects have the right to not be subject to a decision based solely on automated processing and may request human intervention, unless explicit consent or a legal basis is present. This restriction includes profiling.
Better quality consent
The GDPR brings clarity on the lawfulness of data processing. You need to establish a clear legal basis that forms the grounds for data processing. Such legal grounds can be in explicit consent, embedded in a contract, to protect vital, public or legitimate interest, or based upon a particular legal obligation to keep personal data.
Right to be forgotten
Data subjects have the right to request deletion of personal data if it’s no longer needed to serve its original purpose, or if a legal basis to store the data is no longer in place
Right to data portability
Data subjects can request to transfer an overview of their personal data to another organisation in an easily accessible format.
Right to object
Data subjects can object to the processing of their personal data unless a legal basis is in place.
Right to rectification
Data subjects have the right to obtain rectification of inaccurate personal data.