Since the EU General Data Protection Regulation (GDPR) was formally approved earlier in 2016, US organizations have been under pressure to put controls in place to improve data protection. Unlike previous data protection laws, the GDPR applies to any business processing the personal data of EU residents. This will be a big adjustment for organizations, and will affect millions of businesses worldwide.
What the GDPR stipulates
The GDPR introduces a number of key changes for organizations:
- The definition of personal data is now broader, bringing more data under the Regulation’s scope
- Parental (or equivalent) consent will be necessary to process children’s data
- The rules for obtaining valid consent for collecting data have changed; clear and affirmative consent to the processing of private data must be provided
- The appointment of a data protection officer (DPO) will be mandatory for certain organizations
- Data protection impact assessments will be mandatory under certain conditions
- Data controllers have 72 hours to report a data breach
- Data subjects have the “right to be forgotten”
To read more about the key changes that will be introduced by the Regulation, read our overview here >>
Implementing the GDPR and achieving compliance
Set up a compliance framework – As a first step, we recommend putting in place a compliance framework that ensures you implement appropriate technical and organizational measures aligned with the GDPR. A compliance framework is a structured set of guidelines and practices that bring together the regulatory compliance requirements that apply to an organization, and the business processes, policies, and controls that are necessary in order to meet these requirements.
Within this, you’ll need to define your scope, and ensure that the GDPR is on the radar for all directors and on the agendas of all board meetings.
Set your objectives – Your primary objective will be to comply with the GDPR, but other objectives might include identifying efficiencies within the new legal regime and securing data protection throughout your supply chain.
Get to grips with key processes – Your framework should have a number of key processes, including incident management, change management, corrective action, risk management, and continual improvement.
Ensure your project runs as business as usual – For your GDPR project to be successful, you’ll need to establish how it integrates with your framework. Who is responsible and accountable for each process? Who needs oversight? What sort of training is necessary? These sorts of questions, in conjunction with the requirements of the GDPR, will inform how you build the framework from the core requirements.
It is also a good idea to join the EU-US Privacy Shield, a framework designed to comply with the international data transfer requirements of EU law. Businesses need to comply with both the GDPR and the EU-US Privacy Shield to be able to receive and process the personal data of EU residents.
Don’t delay until May 2018. If the GDPR applies to you, start your compliance project now.
Get more information on the GDPR and its requirements on our certified EU GDPR Foundation Training Course. Gain a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for US organizations in this one-day introductory training course. Available in three delivery options:
The EU GDPR Practitioner Training Course is four days, and uses a real-life case study to give a practical understanding of the tools and methods for implementing and managing an effective compliance framework.
Save 15% by booking the EU GDPR Foundation and Practitioner courses at the same time.
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide
Excerpts from this blog post were taken from EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide. This must-have guide provides essential implementation guidance on the GDPR, covering:
- The GDPR in terms you can understand
- How to set out the obligations of data controllers and processors
- What to do with international data transfers
- Understanding data subjects’ rights and consent
For more guidance on GDPR compliance, take a look at our EU GDPR Documentation Toolkit.