As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws not only in Luxembourg but across Europe and beyond.
The new rules:
- Create new responsibilities for organisations who collect, use or store information about people.
- Give people new rights about how their data is collected, used and stored – including the right to have data corrected or deleted.
Five things you need to know...
- The Commission Nationale pour la Protection des Données (the CNPD) will have the power to serve fines of up to 4% of a business’ annual worldwide turnover of the preceding financial year
- Where data is lost or stolen, the breaches will have to be reported to the CNPD within 72 hours of discovery
- Individuals will have the “right to be forgotten” – so that, in some cases, they can demand that their data is deleted
- Where individuals demand to know what information is held on them, the data controllers will have less time to respond, and will not be allowed to charge
- Rights under the GDPR apply to EU citizens, regardless of where the company processing their data is based
Five things you need to do...
- Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
- Test your organisation’s ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
- Identify a point of contact within the organisation that will deal with Subject Access Requests (SAR) and ensure that their contact details are easily available
- Review and update your existing contracts and websites to make them GDPR compliant
- Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests