How to Comply With GDPR
What Is GDPR?
GDPR stands for the General Data Protection Regulation. This regulation requires businesses to protect the privacy and personal data of European Union citizens regarding transactions that occur within EU member states.The regulation took effect in May of 2018, the most significant compliance regulation in many years, as a replacement of outdated data protection directives. It remains consistent across all EU member countries, so there is only one standard to meet.
GDPR does set a standard that is quite high, however, and requires the compliance of all qualifying businesses. Non-compliance results in steep consequences, so properly preparing for GDPR is critical
Who Does GDPR Affect?
Schrems II Lawsuit
Definitions & Responsibilities You Should Know
GDPR Data Processor & Data Controller
Data Protection Officer
Data Protection Impact Assessment
Right to Access, Rectification, & Erasure
Risks of Non-Compliance
Consider if your personal information has ever been stolen, such as your credit card information after you used an online retail site. Do you blame the hacker, or the retailer that collected your information without the security in place to protect it? Many consumers fall into the latter camp, but the consequences of not preparing for GDPR compliance go far beyond public opinion of your business.
Fines & Penalties
Action Plan: How to Comply With GDPR
There are five primary steps a business must take to comply with GDPR.
1. Access – First, companies must access all data sources, regardless of technology type. Companies must investigate and thoroughly audit what personal data is stored and used across their data landscape. GDPR requires that companies prove they know where personal data is and isn’t and not just rely on perception.
2. Identify – Next, companies must inspect their data sources to identify what personal data can be found within each. This may require the parsing of data fields to extract and categorize data elements.
3. Govern – Privacy rules must be established, documented, and shared across all lines of business. Roles and definitions must be established in a governance model. Business terms can then be linked to physical data sources, and companies can establish data lineage from point of creation to point of consumption for advanced control.
4. Protect – To comply with GDPR, three data protection techniques are acceptable: encryption, pseudonymization, and anonymization. The appropriate technique must be applied based on the user’s rights and the usage context.
5. Audit – Lastly, companies must be able to provide reports that clearly show regulators that (1) they know what personal data they have and where it’s located, (2) they properly manage the process for getting consent from data subjects, (3) they can prove how personal data is used, who uses it, and for what purpose, and (4) they maintain proper practices to manage issues such as data breach notifications, the right to be forgotten, etc.