In this article, you will find out:
- What a GDPR is
- Who is subject to GDPR and how to achieve compliance
What’s GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation on data privacy and security in the European Union and the European Economic Area, including all EU countries, plus Iceland, Liechtenstein, and Norway.
Who Is Subject to GDPR?
While originating from EU legislation, it applies to any organization that handles personal data of EU residents, or offers products and/or services to EU residents.
How to Achieve GDPR Compliance?
GDPR does not explicitly mandate an audit; however, in case your customers or a third party requires evidence of your compliance, getting audited by an authorized certification body is necessary.
Furthermore, in order to be GDPR compliant, an organization must satisfy the requirements for properly processing personal data of EU residents:
Establishing a legal basis for data processing
Organizations must have a valid legal basis for collecting and processing personal data, like fulfilling contractual or legal obligations.
Obtaining explicit consent from data subjects
Organizations must explain their data processing practices, often done through a clearly-written privacy notice.
Implementing technical and organizational safeguards
To guarantee the secure handling of customer data, organizations must put in place various safeguards. These may include appropriate logical access controls and the provision of annual security and privacy awareness training.
Sending breach notifications
In the event of a data breach, organizations must promptly inform the supervisory authority within 72 hours.
Appointing a data protection officer (if applicable)
Certain organizations are obligated to appoint a data protection officer who oversees the development and execution of the organization’s data protection strategy.
Organizations are required to appoint a data protection officer (DPO) if:
- It acts as a public authority (other than a court acting in a judicial capacity)
- Its core activities require it to monitor people on a large scale
- Its core activities involve processing special categories of data, or data relating to criminal convictions and offenses
Honoring data subject rights
GDPR grants data subjects several rights, including the right to be informed, the right of access, and the right to object to the processing of their data.
Design products and services with privacy in mind
Incorporates data privacy and protection in all development stages, collecting only necessary information.
Conduct a data protection impact assessment
A Data Protection Impact Assessment (DPIA) explains how your organization identifies and minimizes potential data collection risks. DPIAs offer valuable insights for all data handling activities, not limited to high-risk scenarios.
Restrict personal data transfers outside of the EU
When personal data is transferred outside of the EU or European Economic Area (EEA), relevant organizations (i.e., data importer and data exporter organizations) must adopt appropriate data protection safeguards with technical and organizational measures.
Data transfers are allowed in the following cases:
- The European Commission (EC) reached an adequacy decision about the country where the receiver is based
- The transfer is covered by the appropriate safeguards listed in GDPR Article 46
- The data subject is informed of possible risks and have their explicit consent
- The data transfer is necessary to fulfill contractual obligations with the data subject
- The data transfer is in the public interest or will protect an individual’s vital interests
- The data transfer is required to establish or defend a legal claim
- The transfer is being made from a public register
- It’s a one-off transfer that is in your legitimate interest
Complete regular privacy awareness training
Conduct ongoing employee training (at least annually) that covers GDPR’s scope, core principles of data protection, data subject rights, responsibilities of data controllers and data processors, and the appropriate response to cybersecurity incidents and data breaches.
Sign up for Agency today and find more about ways to stay GDPR compliant.