General Data Protection Regulation (GDPR)

Sectors That Can Be Affected Majorly (but are not limited to)

Hotel/Hospitality

  • Car Rental Companies
  • Off-shore Companies
  • Medical Facilities
  • E-commerce businesses/platforms
  • App Developers
  • Cloud Services
  • Insurance Companies

Compliance Deadline

May 25, 2018

Penalties/Breach For  Non-Compliance

2 Tiers

Tier 1 Penalty

Highly Important Information – up to 4% of previous year’s global annual turnover or €20 million or whichever is greater.

Tier 2 Penalty

Any Other Breach – up to 2% of previous year’s global annual turnover or € 10 million or whichever is greater

Issues To Be Addressed (Overview)

Permission

  • Does the entity ask customers for permission before use?
  • Do they state what its intended use?
    • If found to be misusing data, highest tier of breach will be triggered.
  • MUST receive explicit consent
    • For E-Commerce transactions, no pre-ticked boxes
    • Individual must always choose to tick the box.
  • If entities want to use personal information for multiple purposes, expressed/explicit consent MUST be given, and for each purpose separately.
  • Entities MUST record 1) how consent was given, 2) From Whom, 3) When, 4) How & 5) What interested parties were told.
  • There must be no use of confusing language or legalese. It must be easy for individuals to understand what they’re giving permission for, and equally just as easy to withdraw at a later date.
  • ‘Consent Request’ MUST NOT be bundled with standard terms and conditions
  • If your entity works with third parties, prior consent must be given by the individual for their data to be shared with the third party.

What Constitutes A Data Breach

Personal Data Breach

  • Not only a loss of data, but a breach of security ending in:
    • Destruction
    • Loss
    • Alteration
    • Unauthorised disclosure of or;
    • Unauthorised access to personal data

When Must The Relevant Authority Be Notified

  • This must be done without undue delay and within 72 hours of learning of personal data breach.
  • The entity MUST state:
    • It’s nature
    • Approximate number of people affected
    • Contact Information of company’s/organization’s Data Protection Officer (DPO) (If one has been appointed).