What is the EU GDPR?
In the European Union (EU), privacy and data protection are fundamental human rights enforced through law. The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with.
Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of EU residents to have more control over how their personal data is collected and processed, and places a range of new obligations and responsibilities on organizations to be more accountable for data privacy and protection.
The GDPR – what it means for Canadian and US organizations
The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed. Canadian and US organizations with any connection to the EU – whether through subsidiaries, customers, or suppliers – stand to be affected. Organizations should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.
GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you are able to demonstrate compliance with its six data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability, and individuals’ rights provisions, and building a workplace culture of data privacy and security.
In some cases, the GDPR compliance steps will supplement existing measures that many North American organizations adopt as a matter of good practice or to comply with sector or state privacy laws, e.g. the Health Insurance Portability and Accountability Act (HIPAA).
With an appropriate privacy compliance framework in place, not only will you be able to avoid significant fines and potentially heavy reputational damage but you will also be able to show customers that you can be trusted with their data, and ultimately derive added value from the data you hold.
Speak to an expert
Click to expand some key changes introduced by the Regulation:
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject). The Regulation places much stronger controls on the processing of special categories of personal data than the DPA 1998. The inclusion of genetic and biometric data is new.
- Email address
- IP address
- Location data
- Online behaviour (cookies)
- Profiling and analytics data
Special categories of personal data
- Political opinions
- Trade union membership
- Sexual orientation
- Health information
- Biometric data
- Genetic data
The benefits of GDPR compliance
There are great advantages to GDPR compliance. The new law promotes greater transparency and accountability and aims to increase public trust by giving individuals more control over their data. By getting data protection right, organizations will enhance their reputation, and build better, trusted relationships with existing and potential customers.
The business benefits of the GDPR include:
- Build customer trust
- Improve brand image and reputation
- Improve data governance
- Improve information security
- Improve competitive advantage
How IT Governance can help you get GDPR-ready
IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping organizations address the challenges of EU GDPR compliance.
Browse our wide range of products that can help you meet your GDPR compliance objectives.