It is designed to both strengthen and harmonise data protection across EU member states, and is directly applicable to all organisations ‘established’ in the EU, irrespective of whether the actual data processing takes place in the EU or not. Even if not established in an EU country, certain organizations with substantial activities in the EU will need to comply with GDPR. Please refer to our infographic Could You Be Subject to GDPR? for further guidance on whether or not GDPR may apply to your organization.
Such organizations that are subject to GDPR and collect, store or process personal data must comply with GDPR’s Data Protection Principles and other conditions of processing. New obligations on data controllers include expanded data subject rights, mandatory data breach notification, an enhanced focus on accountability and the appointment of Data Protection Officers. Personal data must still be processed fairly and lawfully, justified by one of six legal bases that have remained substantially similar between the Data Protection Act and GDPR, including with the data subject’s consent.
Arguably the most significant change, however, is the requirement that a data subject’s consent to process their data must now be ‘unambiguous’ and given via a ‘clear, affirmative action’. The penalties are also set to change, standing at a maximum of €20,000,000 or 4% of global revenue; whichever is higher.
For a more in depth discussion of GDPR’s operational effects, please read Blackbaud’s datasheet Important Impacts of GDPR. Undoubtedly therefore, GDPR requires organizations processing personal data to implement significant operational reform. Blackbaud has designed the following solution functionality to assist our customers in achieving this reform.
Please visit our website for more information. If you aren't sure whether or not your organization is subject to GDPR, this helpful document will provide more information about requirements. However, you should consult with your legal team on what kind of action you should take.