GDPR enhances the rights and principles already defined in the directive and the DPA however it also introduced some more significant changes, including the

  • Requirement to actively demonstrate compliance and document processing activities.
  • Greater powers for supervisory authorities and increased reliefs available to Data subjects.
  • The office of the data protection commissioner (ODPC) now has the ability to issue fines for non-compliance. A recent example of this; WhatsApp was issued a €225 million fine for breaching privacy regulations (BBC 2021).
  • Mandatory reporting of data privacy breaches to the appropriate supervisory authority.
  • Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data.
  • Requirement to complete privacy impact assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.

These changes and recommendations are complemented by guidance from other supervisory bodies such as the information commissioners office (ICO) in the UK who have advised organisations to consider the following:

Information you hold; awareness and communication; rights of individuals; data subjects access requests; legal basis for processing; consent; processing of children’s data; data breach reporting; privacy by design and pia’s; data transfers and appointment of data protection officers (DPO’s).

If you want to find out more about GDPR, read our blog: Data protection in SaaS, Who’s responsible for what?