The General Data Protection Regulation (GDPR) enables individuals to better control their personal data within the European Union (EU).
What is GDPR?
The General Data Protection Regulation (GDPR) enables individuals to better control their personal data within the European Union (EU). The regulation focuses on the export of personal data outside of the EU. The regulation applies to any organization that collects or process data belonging to an EU citizen or resident, including those organizations located outside of the EU.
GDPR aims to provide data protection through data control, data security, the right to erasure, risk mitigation and due diligence, and breach notification However, GDPR cannot be reduced to a simple checklist. It often speaks in terms of broad standards rather than specific rules, requiring organizations to take “appropriate” measures to protect privacy. Going forward, the most important aspects of GDPR compliance to focus on through implementation and maintenance are the internal and external data flow maps along with the policy and procedures.
What are the penalties for non-compliance?
The GDPR imposes stiff fines, administered by the individual member state advisory authorities, to data controllers and processors for non-compliance. If an organization is not in compliance, they can be fined up to 20 million Euros or 4% of global annual revenue, whichever is greater. Learn more about how administrative fines here.
What do your clients need to be GDPR Compliant?
Organizations must ensure that personal data is gathered legally and under strict conditions. Whoever collects it will be obliged to protect it from misuse or theft or face penalties for not doing so. Companies with more than 250 employees must have documentation of why peoples information is being collected, processed or stored. Additionally, they must document the technical security measures put into place. Companies with regular monitoring of sensitive and personal data must employ a Data Protection Officer (DPO). Finally, the organization must clearly explain the consent that is being provided when they are collecting data.
GDPR Data Rights
Consent must be voluntarily provided . The individual providing the consent must be provided a choice for doing so. The individual must be made aware that they have the ability to retract their consent. The retraction must be easy to do as the granting of the consent itself. There is an additional consent or agreement requirement from those with parental rights for those who are under the age of 16.
Right of Access
The Right of Access is an essential component of GDPR that provides all data subjects the right to access their processed personal or sensitive data upon request.
Right to be Forgotten
The Right to be Forgotten, also known as the the Right to Erasure, is defined by GDPR as: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data has been provided.
CCS GDPR Valuation Analysis Questionnaire