BUSINESS OBJECTIVES ACHIEVED
The consequences of failing to comply with the GDPR are serious. Organisations can be fined up to a maximum of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. In addition, individuals have the right to claim compensation if they suffer distress or loss as a result of a breach of the GDPR.
The GDPR requires an organisation to appoint a DPO if it is a public authority, carries regular and systematic monitoring of individuals on a large scale or if it processes special categories of personal data on a large scale. However, you can decide to appoint a DPO in order to assist in your organisation's ability to comply with the GDPR even if you are not legally obliged to do so.
The GDPR places an emphasis on an organisation's accountability for how it uses personal information. This means that you will need to demonstrate that you are GDPR compliant by ensuring a culture of data protection throughout your organisation. This includes having appropriate measures and records in place to demonstrate your compliance. This may include a data protection policy, data breach policy and procedure, subject access policy and procedure, data retention policy, record of processing activity, privacy notices and contractual arrangements with suppliers to ensure GDPR compliance. More or less documentation may be required depending on the nature of your organisation.
Most organisations are required to maintain a record of their processing activities, covering areas such as the reasons why they are processing personal data, data sharing and how long information is kept for. If organisations have less than 250 employees, they will be exempt from the requirement to keep a record of processing activity unless their processing activities are risky, frequent or include special categories of personal data. As employers, the information organisations obtain from employees often contains special categories of personal data and therefore it will be rare that an organisation can rely on this exemption. Therefore, most organisations will be required to keep a record of processing activity.
It is mandatory to report a personal data breach under the GDPR to the Information Commissioners Office (ICO) if it's likely to result in a risk to individual's rights and freedoms. Therefore, if the data breach poses a risk to an individual (e.g. risk of discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage) then the data breach should be reported to the ICO within 72 hours.
The GDPR does not require organisations to automatically refresh any existing consents. However, the GDPR does make it clear that if you want to rely on consent obtained pre-GDPR (under the Data Protection Act 1998) the consents must meet the GDPR standard (e.g. affirmative, opted-in consent). If the consent does not meet the GDPR higher standard or the consents are poorly documented members will need to seek fresh GDPR compliant consent in order to comply with the GDPR.
The rules on consent and marketing do not apply to 'corporate subscribers' (e.g. companies, LLPs, and government bodies). The GDPR only applies to living individuals and therefore a company does not fall within this definition. However, the definition of 'corporate subscribers' does not include sole traders. Sole traders will have the same protection as individuals under the GDPR. In addition, it should be noted that individuals working for a company are protected under the GDPR. Therefore, if marketing correspondence is being sent to a personal corporate email address (e.g. firstname.lastname@example.org) rather than a generic company email address (e.g. email@example.com), that individual will have data protection rights under the GDPR and have the right to stop any marketing being sent to that type of email address.
The GDPR does not set a specific time limit for consent. It will degrade over time and it certainly does not last forever. Organisations will need to keep consents under review and consider refreshing consents at user-friendly intervals.