By now, most marketers are aware of the impending General Data Protection Regulation, a European Union initiative designed to give consumers greater control and transparency when it comes to the personal data companies are collecting and storing. The compliance deadline is May 25, 2018, which means any business that hasn't reviewed its policies and practices is running out of time.
Although the GDPR currently only applies to companies that possess data from EU residents, many experts believe similar regulations will start emerging elsewhere. It's best to prepare yourself and become compliant now, even if you don't currently have overseas customers.
<p>General Data Protection Regulation (GDPR)
Deloitte NWE Privacy Services Vision and Approach
Deloitte Risk Advisory - 2017
2017 Deloitte North West Europe
Key changes of the GDPR
The Big Picture
Deloitte Risk Advisory NWE GDPR Brochure
Fines of up to 4% of annual global turnover
Breach notification within 72 hours
Mandatory Data Protection Officers
Privacy By Design
Right to access and portability
Explicit and retractable consent
Right to be forgotten
Previously fines were limited in size and impact. GDPR fines will apply
to both controllers and processors.
GDPR will apply to all companies processing the personal data
of data subjects residing in the EU, regardless of the company's
Must be provided in an intelligible and easily accessible form,
using clear and plain language. It must be as easy to withdraw
consent as it is to give it.
Now mandatory that breaches, which are likely to "result in a risk for the
rights and freedoms of individuals", are reported within 72 hours of first
having become aware of the breach.
Now a legal requirement for the inclusion of data protection from
the onset of the designing of systems, rather than a retrospective
Appointed in certain cases (public authorities, when monitoring of data subjects on a large scale and
when processing special categories of data). To facilitate the need for a company to demonstrate their
compliance to the GDPR and compensate for GDPR no longer requiring the bureaucratic submission of
notifications/ registrations of data processing activities or transfers based on Model Contract Clauses.
Entitles the data subject to have the data controller erase his/ her
personal data, cease further dissemination of the data, and potentially
have third parties halt processing of the data.
Data subjects can request confirmation as to whether or not personal data concerning them
is being processed, where and for what purpose. Further, the controller shall provide a copy
of the personal data, free of charge, in