With the EU General Data Protection Regulation (GDPR) coming into effect next year, organizations across the globe are under more pressure than ever to improve their data protection practices.
The GDPR will force organizations to dramatically change the way they handle EU residents’ personal information. Although it’s an EU regulation, there are countless organizations worldwide that handle such data, including many in the US.
What the GDPR stipulates
The GDPR introduces a number of key changes to data protection laws:
- It broadens the definition of ‘personal data’, now encompassing factors such as an individual’s mental, economic, cultural, and social identity.
- It requires parental (or equivalent) consent to process children’s data.
- It changes the rules for obtaining valid consent when collecting data. Clear and affirmative consent will now have to be provided.
- It mandates the appointment of a data protection officer (DPO) for organizations that process EU residents’ data on a large scale.
- It requires data protection impact assessments (DPIAs) for organizations that undertake high-risk data processing activities.
- It requires data controllers to report a data breach within 72 hours of discovery.
- It gives data subjects the ‘right to be forgotten’.
Implementing the GDPR
To put the appropriate measures in place to comply with the GDPR, we recommend that you:
- Set up a compliance framework
A compliance framework is a structured set of guidelines and practices. It brings together the regulatory compliance requirements that apply to an organization, and the business processes, policies, and controls that are necessary to meet these requirements.
Within this, you’ll need to define your scope. You’ll also need to ensure that the GDPR is on the radar for all directors and on the agenda for all board meetings.
- Set your objectives
Your primary objective will be to comply with the GDPR, but other objectives might include identifying efficiencies within the new legal regime and securing data protection throughout your supply chain.
- Get to grips with key processes
Your framework should have a number of key processes, including incident management, corrective action, risk management, and continual improvement.
- Ensure your project runs like business as usual
For your GDPR project to be successful, you’ll need to establish how it integrates with your framework. Who is responsible and accountable for each process? Who needs oversight? What sort of training is necessary? These sorts of questions, in conjunction with the requirements of the GDPR, will inform how you build your framework out from the core requirements.
GDPR: An implementation guide
You can find out more about achieving compliance with the GDPR by reading our current book of the month, EU General Data Protection (GDPR) – An Implementation and Compliance Guide.
Written by the IT Governance Privacy Team, this book offers essential advice on implementing the GDPR. It covers:
- The GDPR in terms you can understand
- How to set out the obligations of data controllers and processors
- The EU-US Privacy Shield
- Data subjects’ rights and consent