This website uses cookies. View our cookie policy
Close
USA
Select regional store:

The EU General Data Protection Regulation (GDPR)

What is the GDPR?

In the European Union (EU), privacy and data protection are fundamental human rights enforced through law.  The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with.

Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of EU residents to have more control over how their personal data is collected and processed, and places a range of new obligations and responsibilities on organizations to be more accountable for data privacy and protection.


The GDPR – what it means for Canadian and US organizations

The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed. Canadian and US organizations with any connection to the EU – whether through subsidiaries, customers, or suppliers – stand to be affected. Organizations should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.

GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you are able to demonstrate compliance with its six data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability, and individuals’ rights provisions, and building a workplace culture of data privacy and security.

In some cases, the GDPR compliance steps will supplement existing measures that many North American organizations adopt as a matter of good practice or to comply with sector or state privacy laws, e.g. the Health Insurance Portability and Accountability Act (HIPAA).

With an appropriate privacy compliance framework in place, not only will you be able to avoid significant fines and potentially heavy reputational damage but you will also be able to show customers that you can be trusted with their data, and ultimately derive added value from the data you hold.

Speak to an expert

Video summary of the EU GDPR

When the GDPR came into effect on 25 May 2018, it was the first major update to European data protection law for over 20 years. The Regulation gives individuals (known as data subjects) much greater control over how organizations process their personal data.
 

Watch our 7-minute video for a comprehensive overview of the GDPR.


The key elements of the GDPR

Click to expand some key elements of the Regulation:

  • Establishing a governance structure with roles and responsibilities
  • Keeping a detailed record of all data processing operations
  • Documenting data protection policies and procedures
  • Conducting data protection impact assessments (DPIAs) for high-risk processing operations  
  • Implementing appropriate measures to secure personal data.
  • Offering staff training and awareness programs
  • Where necessary, appointing a data protection officer

Read our GDPR compliance checklist >>

  • Be processed lawfully, fairly, and transparently (‘lawfulness, fairness and transparency’)
  • Be collected only for specific, legitimate purposes (‘purpose limitation’)
  • Be adequate, relevant, and limited to what is necessary (‘data minimisation’)
  • Be accurate and kept up to date (‘accuracy’)
  • Be stored only as long as is necessary for the purposes specified (‘storage limitation’)
  • Processed in a secure manner “using appropriate technical and organisational measures” (‘integrity and confidentiality’)

  • Explicit consent from the individual
  • The necessity to perform a contractual obligation
  • Protecting the vital interests of the individual
  • The organization’s legal obligation
  • Necessity for the public interest
  • The legitimate interests of the organization

  • The right of access to personal data through subject access requests (SARs)
  • The right to correct inaccurate personal data
  • The right in certain cases to have personal data erased (the ‘right to be forgotten’)
  • The right to object
  • The right to move personal data from one service provider to another

  • Consent must be freely given, specific, informed, and unambiguous
  • A request for consent must be intelligible and in clear, plain language
  • Silence, pre-ticked boxes, and inactivity will no longer suffice as consent
  • Consent can be withdrawn at any time
  • Consent for online services from a child under 16 is only valid with parental authorization
  • Organizations must be able to evidence consent

  • Appropriate safeguards should be integrated into the processing.
  • Data protection must be considered at the design stage of any new process, system or technology.
  • A DPIA (data protection impact assessment) is an integral part of privacy by design

  • When personal data is collected directly from data subjects, data controllers must provide a privacy notice at the time of collection.
  • When personal data is not obtained direct from data subjects, data controllers must provide a privacy notice without undue delay, and within a month. This must be done the first time they communicate with the data subject.
  • For all processing activities, data controllers must decide how the data subjects will be informed and design privacy notices accordingly. Notices can be issued in stages.
  • Privacy notices must be provided to data subjects in a concise, transparent and easily accessible form, using clear and plain language.

  • Where the EU has designated a country as providing an adequate level of data protection;
  • Through model contracts or binding corporate rules; or
  • By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.

If a data breach does occur, it has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware. Any individuals impacted should also be informed, if there is a risk to their rights and freedoms, such as identity theft or personal safety.

  • Public authorities;
  • Organisations involved in high-risk processing; and
  • Organisations processing special categories of data.

A DPO has set tasks:

  • Informing and advising the organization of its obligations
  • Monitoring compliance, including raising awareness, staff training, and audits
  • Cooperating with the relevant authorities and acting as a contact point

Find out more about the key changes introduced by the GDPR and how you can comply by downloading our free green paper >>


What is personal data? 

Personal data is any information relating to an identified or identifiable natural person (data subject). The Regulation places much stronger controls on the processing of special categories of personal data than the DPA 1998. The inclusion of genetic and biometric data is new.

Personal data

  • Name
  • Address
  • Email address
  • Photo
  • IP address
  • Location data
  • Online behaviour (cookies)
  • Profiling and analytics data

Special categories of personal data

  • Race
  • Religion
  • Political opinions
  • Trade union membership
  • Sexual orientation
  • Health information
  • Biometric data
  • Genetic data

The benefits of the GDPR

There are great advantages to GDPR compliance. The new law promotes greater transparency and accountability and aims to increase public trust by giving individuals more control over their data. By getting data protection right, organizations will enhance their reputation, and build better, trusted relationships with existing and potential customers.

The business benefits of the GDPR include:

  • Build customer trust
  • Improve brand image and reputation
  • Improve data governance
  • Improve information security
  • Improve competitive advantage

How IT Governance can help you get GDPR-ready

IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organizations globally address the challenges of GDPR compliance.

Browse our wide range of products that can help you meet your GDPR compliance objectives.


Speak to an expert

Please contact our GDPR team for advice and guidance on our products and services