As of 25 May 2018, the General Data Protection Regulation (GDPR) will reform data protection and privacy laws not only in Luxembourg but across Europe and beyond.

The new rules:

  • Create new responsibilities for organisations who collect, use or store information about people.
  • Give people new rights about how their data is collected, used and stored – including the right to have data corrected or deleted.

Five things you need to know...

  • The Commission Nationale pour la Protection des Données (the CNPD) will have the power to serve fines of up to 4% of a business’ annual worldwide turnover of the preceding financial year
  • Where data is lost or stolen, the breaches will have to be reported to the CNPD within 72 hours of discovery
  • Individuals will have the “right to be forgotten” – so that, in some cases, they can demand that their data is deleted
  • Where individuals demand to know what information is held on them, the data controllers will have less time to respond, and will not be allowed to charge
  • Rights under the GDPR apply to EU citizens, regardless of where the company processing their data is based

Five things you need to do...

  • Review your records management systems and processes, both electronic and paper-based, to ensure they are consciously designed to support the efficient discovery of information
  • Test your organisation’s ability to quickly isolate data relating to a specific individual in the necessary time period provided under the GDPR
  • Identify a point of contact within the organisation that will deal with Subject Access Requests (SAR) and ensure that their contact details are easily available
  • Review and update your existing contracts and websites to make them GDPR compliant 
  • Create procedures or review any existing procedures regarding responding to SARs and governing the refusal of requests