What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that intends to strengthen and harmonise data protection rights of individuals within the EU.
The GDPR replaces the 20-year-old Data Protection Directive 95/46EC, which has been rendered inadequate by technological advancements. While containing many prescriptive requirements, such as documenting IT procedures, performing risk assessments, defining data collection and retention policies and notifying authorities of breaches, the GDPR is more descriptive than prescriptive. For your organisation to become compliant, you’ll first need to examine how you collect, store and use personal data.
Personal data is any information relating to an identifiable natural person.
Personal data includes personal identifiers such as name, address, phone numbers, email addresses and health information of an individual. But it also includes online identifiers such as IP addresses.
The GDPR makes organisations accountable for the security of the personal data they hold on individuals and for any processing of that personal data. The GDPR requires that organisations minimise the personal data they collect, retain personal data no longer than necessary to achieve the purpose for which it was collected, restrict access to personal data and ensure it is secure through its entire lifecycle.
Core concepts and requirements to be aware of:
Data protection by design – Organisations must ensure that data is collected in a lawful, fair and transparent way and only used for the purpose the individual intended. They must also ensure that personal data is collected on a no-more-than-necessary basis and is only held for as long as it’s needed. Organisations must strive to ensure the accuracy of the personal data they hold as well as its security and confidentiality.
Assessments and record keeping –Organisations must have audit trails in place to show their data sharing and processing activities and, in some cases, a data protection impact assessment will be needed to determine possible risk to personal data privacy. Right to erasure – Also known as the right to be forgotten, this aspect of the GDPR enables individuals to request an organisation to delete their personal data.
- Extraterritoriality – Since the GDPR protects EU citizens and residents, the regulation extends to cover organisations that collect data about EU data subjects even if they don’t have a physical presence in the EU.
- Breach notification – Organisations have to notify data authorities within 72 hours after becoming aware of a breach of personal data.
- Sanctions –The most serious infringement of the GDPR can merit a fine of up to 4% of a company’s global turnover. Even the lesser fines can be up to 2% of global turnover.
In short, it is critical for you to examine the personal data your organisation collects in terms of how you store it, how you use it and who can access it.
GDPR365 enables you to easily get your compliance documentation in place, train your employees and manage your direct marketing, HR and IT services. GDPR365 manages and stores all contract documents with your processors and for sharing agreements. GDPR365 provides full workflows to manage data subject access requests and breaches in the security of your personal data.