The key changes of the GDPR were the introduction of several principles that previously underpinned data protection law, such as the 'accountability principle' and 'privacy by design', and encourages organisations to take more responsibility for protecting the personal data they handle.
Privacy by design: This means that organisations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed.
User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.
Tougher breach notification rules: Under the GDPR, organisations are required to have a strong breach notification system in place and understand their specific reporting obligations.
Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.
Data protection officer: The GDPR requires companies that engage in the processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.