In accordance with accepted Privacy frameworks and regulations, this website stores cookies on your computer. These cookies are used to collect information about how you interact with Lighthouse’s website and allow us to better inform and communicate about the topics you actually care about. Lighthouse uses this information in order to improve your experience and for analytics and metrics. View Privacy Policy

Coronavirus Preparedness At Lighthouse

General Data Protection Regulation

Create and maintain a defensible and proactive strategy for GDPR Compliance

The General Data Protection Regulation (GDPR) came into force in May 2018, building on the strong data protection principles set out in 1995 in the Data Protection Directive.

 Objectives of the GDPR include:

The harmonization of the fragmented data protection landscape that existed under 28 different national laws to provide legal certainty for individuals and businesses in, or operating in, the European Union (EU).

An improved information governance structure centered on independent national data protection authorities.

The strengthening of individuals’ rights.

EXPANDED SCOPE

Applies to all EU organizations that control or process the personal data of EU residents. It also applies to non-EU companies whose processing activities relate to the offering of goods and services or behavior monitoring in the EU.

EXPANDED RIGHTS OF DATA SUBJECTS

The GDPR provides individuals with enforceable rights, such as the right of access, rectification, and erasure; the right to object, portability, and enhanced transparency. Where companies fail to protect these rights, data protection authorities can issue fines and other corrective measures such as warnings and reprimands, orders to rectify, and limitations of processing, including bans. Between May 2018 and November 2019, 22 EU/ European Economic Area (EEA) data protection authorities issued 785 fines.

DATA GOVERNANCE REQUIREMENTS

Includes obligations to conduct privacy impact assessments as well as audits and policy reviews, to maintain activity records, and, in certain circumstances, to appoint a data protection officer.

INCREASED REQUIREMENTS ON DATA CONTROLLERS AND PROCESSORS

Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.  The GDPR sets out what must be included in the contract, and if a processor uses another organization (e.g. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.

LAWFUL GROUNDS FOR PROCESSING AND APPROVED TRANSFER MECHANISMS

The law requires that companies establish a lawful basis for processing personal data, including obtaining consent from data subjects unless certain exceptions apply, such as a legitimate business interest (but only with adequate safeguards in place). It also establishes specific mechanisms to facilitate data transfers outside the EU and EEA, such as binding corporate rules, standard contractual clauses, or transferring to a non-EU country deemed adequate by the European Commission.

Understanding the Risks

The regulation affords supervisory authorities with expanded powers, including issuing warnings of noncompliance, carrying out audits, requiring remediation, and suspending data transfers to other countries. It also increases their investigative and corrective powers.

More significant is that the regulation empowers supervisory authorities to issue substantial penalties for noncompliance. Depending on the violation, organizations could face up to the higher of £20 million or 4% of an organization’s global annual turnover.

Some significant fines have been imposed in 2019-2020 including Google (€50m – France), TIM (€27.8m – Italy), Austrian Post (€18m – Austria), Wind Tre S.p.A (€16.7m – Italy) and Deutsche Wohnen (€14.5m – Germany). What is interesting to note about these fines, in addition to their size, is that they show that supervisory data protection authorities are becoming increasingly willing to impose fines for a broad range of infringements including over-retention of personal data.

Our GDPR Offering

Lighthouse’s GDPR offering includes three components – planning, legacy data remediation, and ongoing support services.

Contact Us

A Lighthouse expert is available to answer questions about your GDPR needs.