LO 8.3.1.B

Learning Objective: Describe the key changes in data protection regulation including the meaning of

• Rights of the individual

• Informed consent

• Notification

• Data portability

• Supervision and enforcement, and

• Liability.

Review

• Key Changes

• Rights of the individual: individuals have the right to access, amend, restrict, withdraw consent, and request that their personal data be erased.
• Informed consent: requests for consent to be explicit (not implied) and written in clear and easy-to-understand language, and as easy to withdraw as to give.
• Notification: There is a mandatory breach notification period of 72 hours for organizations to notify the national regulator.
• Data portability: Customers can transfer personal data from one company to another, but only data provided by the customer themselves and in a machine-readable format.
• Supervision and enforcement: 

Any national regulator can take or lead action across all member states.

Organizations outside the EU, but processing data of EU citizens, can face sanctions and be subject to individual claims.

Similarly, this applies to citizens 'in' the EU but not necessarily EU citizens.

Higher penalties for breaching the regulations, with maximum fines at €20 million or 4% of annual worldwide turnover (whichever is greater).

For lesser offenses, it is €10 million or 2% of global annual turnover (whichever is greater).

• Liability: Data Processors, in addition to the Data Controller, are directly liable.