If you're in any doubt about whether the processing of personal data you do is within the parameters of the General Data Protection Regulation (GDPR) then you should carry out a DPIA because the penalty for not doing so – when it’s appropriate to – is a €10-million fine, or 2% of annual global turnover, whichever is greater.
On 7 September the The Washington Post reported that a security breach at Equifax, a US credit rating bureau, resulted in hackers gaining access to personal data belonging to an estimated 143 million individuals. Apparently, the breach was due to an 11-year-old website application flaw that compromised the personal information of not only Americans, but British and Canadian consumers.
Amongst the stolen personal data are names, driver’s license details, credit card numbers, social security numbers and birth dates – basically the key ingredients for identity fraud.
If you own or manage an organisation in the EU and are concerned about the imminent General Data Protection Regulation (GDPR), read on for an overview of what will be required of you to achieve compliance.
The GDPR was approved by the EU Parliament on 14 April 2016 after four years of discussion and planning. The regulation sought to replace the Data Protection Directive of 1995 and to harmonise data protection regulations across the European Union.