THE BASIC PRINCIPLES OF GDPR
Transparency and Consent:
Tell the data subject what data processing will be done.What is processed must match up with how it has been described. Processing must meet the tests what are termed legitismers under GDPR. Businesses
must be able to demonstrate that the consent of the data subject was presented in a manner which is clearly distinguishable and specific to the purposes for which it will be used. Consent can no
longer be by default or implied.
Purpose:
Personal data can only be obtained for specified, explicit and legitimate purposes. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.
Necessary:
Data collected on a subject should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is held. In general you must have and maintain an inventory of all of the data you hold, the reasons for holding it.
Retention
GDPR expects personal data is kept in a form which permits identification of data subjects for no longer than necessary. Data no longer required should be removed.
Security
Processors are required to handle data in a manner ensuring appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or data
Data portability
Customers will have the right to obtain and use their personal data for their own purposes across different services. You will have to be able to provide customers w
Customers now have the right, in certain circumstances, to have data about them erased, removed or de-indexed. Are your IT systems and business processes able to take this into account?.
Data Protection Impact
Assessments GDPR requires businesses to carry out DPIAs where the processing is likely to result in a high risk to the rights of individuals and particularly when using new technologies, taking into account the nature, scope, context and purposes of the processing.
Right to be forgotten
GDPR gives the right, in certain circumstances, to have data about them erased, removed or de-indexed.
Access rights
GDPR gives stronger access rights. Where an access request is received, you must respond within the shorter time frame of one month and cannot charge a fee unless the request is manifestly unfounded or excessive. If you reject the request, you must reply setting out your grounds for doing so and providing information about the possibility of lodging a complaint with the supervisory authority, the Data Protection Comissioner.
Reporting
In addition to reporting requirements from other regulations, the GDPR will require communication with the Data Protection Commissioner within 72 hours and/or informing the affected data subjects ‘without undue delay’ in high risk cases.
Easier to litigate
GDPR makes it easy to litigate no need to have material damage a mere breach is enough.