Have you already heard the abbreviation – GDPR? It seems to be a new buzzword floating around the business world, but what does it mean?
The definition in Wikipedia says that the General Data Protection Regulation (GDPR) (EU) 2016/679 is “a regulation in EU law on data protection and privacy for all individuals within the European Union”. The Regulation refers both to the use of personal data inside the EU and the export of personal data of EU residents outside the union.
The primary aim of the GDPR is to return control over their personal data back to citizens and residents. Another aim is to unify the data protection regulation within the EU and, thus, to simplify the regulatory environment for international business. The GDPR takes effect on May 25, 2018 and will replace the outdated 1995 Data Protection Directive (Directive 95/46/EC).
What is the Impact of the New General Data Protection Regulations (GDPR)?
The new Regulation requires GDPR compliance from companies not only located within the EU, but also from the ones located outside the EU which process and hold personal data of EU residents, even if those companies don’t have a business presence in the EU.
The GDPR itself includes 11 chapters and 91 articles setting out the rights of individuals and obligations placed on organizations covered by the regulation. The key GDPR compliance requirements concerning data protection include:
- The consent of subjects is required for data processing
- Collected data must be anonymized to protect privacy
- Data breaches must be notified in a very short time period
- Safe handling of data across borders
- Certain companies are required to appoint a data protection officer to control GDPR compliance
Our GPR Readiness offerings
Certified email protection and storage
Data encryption and protection
Checklist for GDPR Compliance
How can you check if your company must comply with the GDPR? European ICO (Information Commissioner’s Office) has created a 12-step guide which can help a company seniors to get prepared for the GDPR enforcement.
In short this guide recommends to:
1. Learn about the GDPR and make all stakeholders aware of the new rules. The stakeholders should include not only IT personnel, but also marketing, finance, sales, operations departments, every part of the company that collects, analyses, or otherwise makes use of personal information provided by customers.
2. Access the information your company holds and the risks related to it. Outline the measurements to mitigate the risk and uncover any shadow IT which can collect or store personal data of EU citizens.
3. Review privacy notices to make them compliant with the consent requirements of the Regulation.
4. Check the procedures used by your companies to make sure they take into account all the individual rights provided by GDPR.
5. Check if your procedures comply with the time frames provided by GDPR for notices. Do you still remember the 72-hour rule?
6. Check your lawful basis for processing personal data. Remember the consent by default doesn’t work any more! According to itgovernance.euweb site, you can collect and process data on the following legal grounds: a contract with the individual; compliance with a legal obligation; vital interests; a public task or legitimate interests.
7. Check all procedures and requests relating to consent. Make the consent forms you use compliant with GDPR requirements.
8. Check the consent requirements for children. Check if you need to verify the age of data subjects and obtain parental or guardian consent for data processing.
9. Check if you have the necessary tools to identify, report and investigate data breaches.
10. Check if your data protection system is in line with a privacy-by-design approach.
11. Appoint Data Protection Officer(s) responsible for data protection compliance.
12. If your company operates in more than one EU state, determine your lead data protection supervisory authority for reporting purposes.