• It invalidates the outdated European Directive 95/46 / EC
• GDPR is a development and update of the existing European Data Protection Directive (DPD).
• It addresses many of the shortcomings of DPD by adding requirements for IT documentation, risk assessment under certain conditions, reporting to the consumer and authorities when there is a breach, and strengthening data minimization rules.
• One way to describe GDPR is that it legislates many notions on data security, minimizing the collection of personal data, deleting no longer necessary personal data, and limiting access to them.

• It has extensive competence as it applies to ALL businesses and organizations that process personal data.
• The terms of the consensus have been strengthened and companies will no longer use illegible terms of agreement. The consent form must be provided in an understandable manner.
• A fine of up to 4% of the total annual turnover or up to 20 million euro may be imposed (whichever is greater).
• It provides Member States with the flexibility to specify their rules, including those relating to the processing of specific categories of personal data (‘sensitive data’).

• Data Breach Notification:

According to the GDPR, breach notification will be mandatory in all Member States where a data breach may “lead to a risk to the rights and freedoms of individuals”. This must be done within 72 hours of the violation being realized. Data controllers will also be required to notify their clients and auditors, ” without unwarranted delay,” as soon as the data breach is detected.

• Access rights:

Part of the expanded rights of individuals is their right to receive confirmation from the data controller about whether or not their personal data is processed, where, and for what purpose. Moreover, a free copy of personal data must be provided in digital form. This is a dramatic development in data transparency.

Removal of notification obligation:

• This obligation has not contributed much to improving the protection of personal data.
• General disclosure obligations of this kind should be abolished and replaced by more effective procedures and mechanisms.
• These types of processing actions may be those that, in particular, involve the use of new technologies.

Data Protection Officer (DPO) – Article 37:

His appointment shall be deemed necessary for the controller and the processor in each case where:

• processing is carried out by a public authority or body, excluding courts that act within their jurisdiction,
• the main activities of the controller or processor are processing operations which require regular and systematic monitoring of large-scale entities,
• the main activities of the controller or processor are large-scale processing of specific categories of personal data such as genetic or biometric data, health data as well as data relating to criminal convictions and offenses.

The concept of ‘large-scale’ activities includes hospitals, insurance, and pharmaceutical companies that can process a wealth of personal and sensitive data, such as patient health data.

Data Protection Officer (DPO) Assignment & Obligations:

• Assignment based on professional qualifications. In particular his expertise in the field of personal data protection law and related practices as well as the ability to perform his duties.
• The designation of “Data Protection Officer” must be in writing.
• The ‘Processor’ and the ‘Controller’ shall notify the Authority of the name and status of the Data Protection Officer.
• The Data Protection Officer is bound by a “duty of confidentiality” and must not disclose any facts or information that came to his or her knowledge in the performance of his or her duties to any third party.

The Data Protection Officer DPO:

• is advisory and supportive
• acts as a contact liaison with the proper authorities

Given the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing, the data protection officer must inform and advise the controller or processor of the intended data protection legislation, as well as monitoring compliance with the Regulation to minimize the risk of breach. Article 38 of the GDPR stipulates that the DPO is accountable to the highest level of management, does not receive instructions to perform his duties, is not responsible for non-compliance by the controller / processor, is not fired or penalized for performing his or her duties. Data Protection Officer (DPO) Duties:

• informing and advising the ‘Controller’ and the processing officers of their obligations under provisions of national or Union law.
• monitoring compliance with data protection, including delegation of responsibilities, awareness raising and training of staff involved in processing operations and audits.
• monitoring compliance with data protection, including delegation of responsibilities, raising awareness and training the staff involved in processing operations and audits.
• cooperating with the Data Protection Authority.
• act as a point of contact for the Authority on issues related to processing.

In any case, in order to ensure compliance with the requirements of this Regulation:

• The controller should only use processors who provide sufficient assurances in terms of expertise, reliability and resources, for the implementation of technical and organizational measures that meet the requirements of this Regulation, including those concerning the safety of processing.
• The accession of the processor to an approved code of conduct or an approved certification mechanism can be used as evidence to demonstrate compliance with the obligations of the controller.
• Processing should be governed by a contract or other legal act, based on Union law or the law of the Member States, linking the processor with the controller, specifying the subject, duration, nature and purposes of the processing, the type of personal data and the categories of data subjects.