GDPR Compliance Best Practices Guide

A Best Practice Guide

Background

Approved by the European Union Parliament on April 14th, 2016

"Most radical overhaul of data protection laws in a generation ."
Deloitte.com/GDPR

Replacing the Data Protection Directive of 1995, the GDPR provides extensive requirements and penalty information as to how organizations must comply and what they might expect if they don't. Once ratified, the GDPR entered into an approximate 2 year grace period to allow companies to implement necessary technical, operational and procedural updates to obtain compliance with the GDPR.

Starting May 25th, 2018, the GDPR will be fully enforceable and any organizations with infringements involving the control, process or transfer of the personal data of EU natural persons could face heavy penalties; ADMINISTRATIVE and or MONETARY fines.

WHAT DO YOU NEED TO KNOW?

The GDPR defines new worldwide privacy standards for citizens.

Thus ensuring compliance with this regulation will enhance your overall privacy program, further your efforts to minimize risk, protect your brand and build trust with consumers.

The GDPR places tighter limits around the processing of an individual's data. It provides clarity on what is considered Personal Data, (akin to what U.S. based companies often refer to as personally identifiable information). It includes information that can be used to identify a living individual directly (name, address, email etc.) or indirectly (IP address, location, customer ID) as well as sensitive data (biometric data or genetic data). Under the GDPR, organizations must safeguard consumer information and rights to privacy or they will be held accountable if they do not comply.

Data subjects are now granted specific and significant rights to seek compensation for infractions, rights to erasure and accurate representation. The new measure details how compensation can be sought against organizations and also the individuals employed by them.

Failure to comply with the GDPR could mean costly fines and penalties if your organization is at risk. Lower level infringements could incur fines of up to €10 million or 2% of the worldwide annual income of the prior financial year (whichever is greater). Upper level infringements could incur fines of up to €20 million or 4% of the worldwide annual income of the prior financial year (whichever is greater).

Failure to comply could mean fines and penalties if your organization is at risk.

PERSONAL DATA

(akin to Personally Identifiable Information but Expanded)

Personal data means any information related to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly. Examples include (but are not limited to):

  • First & last name (combined)
  • Home address
  • Medical records
  • Credit card details
  • IP address
  • Date/place of birth
  • Cookies
gdpr personal data

SHOULD YOU CARE?

Who does the GDPR effect?

The GDPR applies to any company processing the personal data or monitoring the behavior of citizens who reside in the European Union. Called 'increased territorial regulatory scope,' or extra-territorial applicability, it specifies that the regulations, penalties and fines are enforceable for data breach infractions within all 28 member states of the European Union, but also for any organizations controlling, processing or transferring the data of EU data subjects – no matter where the data controller or processor is geographically based.

"GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well."

Bart Williamson, Gartner

Do U.S. Organizations Need to Comply?

Yes. Companies across the EU and U.S.-based companies alike must change how they conduct certain business processes, provide access to consumer data across their internal organization, how they communicate about and request consent to process consumer data, erase and record processing of consumer data and how they protect the privacy of citizens in the handling of sensitive data.

Organizations must understand fully how data is processed, where it is being processed, who is processing and storing data (including third party applications), and demonstrate the ability to erase data no matter where it exists.

Most importantly, companies will be required to follow specific steps in the event of a data breach. Companies will be required to notify regulatory authorities and data subjects of any breach of personal data within 72 hours of the discovery the breach.

Key Changes Implemented by GDPR

gdpr mandatory icon
Mandatory Appointment of DPO's

Public authorities and businesses involved in systematic monitoring activities or data processing on a large scale will be required to appoint a Data Protection Officer. The DPO must have expert knowledge on data protection laws, may be a staff member or external service provider, must provide contact details to the relevant DPA, must be provided with appropriate resources to carry out tasks and maintain expertise, must report directly to the highest level of management and must not carry out any other tasks that could be a conflict of interest.

pdpr privacy icon
Privacy Impact Assessment

A Privacy Impact Assessment must be completed before any potentially high risk data processing.

gdpr privacy by design icon
Privacy By Design

Now a legal requirement under the GDPR, Privacy By Design means that data protection must be considered at all stages in the development of new systems, products and services.

gdpr enhanced rights icon
Enhanced Rights

Enhanced rights for individuals are implemented for data subject access requests, right to be forgotten, data portability, right to object to profiling.

gdpr withdraw consent icon
Ability to Give and Withdraw Consent

Consumers must be able to give consent to process their data in a straightforward way that is distinguishable from other matters. It must be provided in an intelligible and easily accessible form, with the purpose for collecting the data attached to that consent. Business will have to prove that consent was given and validly obtained and also provide a way to withdraw consent.

gdpr data portability icon
Data Portability

Consumers must have access to their personal data and be able to transmit it to other companies.

gdpr data breach icon
Data Breach Notification

NDPA (and individuals) must be notified within 72 hours unless the data breach is unlikely to result in a risk.

gdpr accountability icon
Greater Accountability for Infractions

Businesses must adapt technical and organizational measures to demonstrate compliance with GDPR's requirements. For lower level infractions, companies can be fined up to 2% of annual global turnover or €10 million, whichever is greater. For upper level infractions, companies can be fined up to 4% of annual global turnover or €20 million, whichever is greater.

GDPR: TECHNICAL IMPLICATIONS OVERVIEW

The General Data Protection Regulation (GDPR) gives consumers significant new rights.

To comply, organizations will have to prepare. New technical data protection and privacy safeguards must be implemented by organizations to support the changes in policy. New or updated procedures must be implemented to handle data collection, processing and transferring, as well as documenting consumers who exercise the 'right to be forgotten.' 

What is the 'right to be forgotten'? The 'right to be forgotten' mandate requires that organizations, upon request, delete user data, cease the dissemination of the data and halt third party processing of the data.

Procedures must be in place to document that the request was made and enforced and companies must prove the data was fully erased.

THE 7 DATA COLLECTION PRINCIPLES

The GDPR provides clear guidelines on how to process consumer data.

  • Data must be processed lawfully, fairly and in a transparent manner. Why the data is being captured and what it will be used for must be made clear at the time of data collection. Organizations must provide data processing details upon request.
  • Data must only be collected for specified, explicit and legitimate purposes. Organizations must have a lawful and legitimate purpose for processing each piece of data. If they collect unnecessary data for the specified purpose they will not be compliant
  • Collected data must be adequate, relevant and limited to what is necessary. Organizations must be sure that they’re collecting the minimum amount of data needed to fulfill the specific purpose of the data request.
  • Collected data must be accurate, and where necessary kept up to date. Data controllers must make sure their information remains valid. To comply, organizations must have a process and policies in place to address the maintenance of accurate data
  • Data must be retained only as long as necessary. This principle limits the movement of data and duration of data storage to help avoid data redundancy and replication. To comply, organizations must implement and enforce data retention policies and ensure safe storage of data
  • Data must be processed securely. Organizations are responsible for protecting the integrity and privacy of data by implementing the appropriate security measures within IT systems, paper records and physical security systems are in place.
  • There must be accountability in all processing activity. Organizations must be able to prove via a full audit trail of activities to governing bodies that they have taken the necessary steps to comply with the GDPR.

How can you prepare for GDPR?

  • 1. Bring Together Key Players

    Bring together various department members and key decision makers in your organization to discuss how data is currently used, plan for changes needed and start implementing updates now and continue to do so

  • 2. Conduct a Data Audit

    Create a document outlining all data sources, types of data stored and third parties with whom you share data. Ensure data is clean and up-to-date and that you have a process for maintaining records of all data processing activities.

  • 3. Plan Procedures for Data Breaches, Access & Erasure

    Confirm with your security team that you have the right procedures in place to detect, report and investigate a data breach. Also have a plan for what to do when consumers request access to their data or to delete their data from your system.

  • 4. Review Privacy Policies

    Ensure that you are including how you intend to use personal data, a lawful basis for collecting data and how long you plan to store the data. Add details for how an individual can ask questions, raise concerns or complain if they feel their data is not handled properly. Be sure your policy is transparent and easy to understand.

61% of companies have not started preparing for the GDPR 

TrustArc

  • 5. Update Your Forms

    Do you ask for consent to market to consumers in the way you plan to reach out to them? Do you need additional levels of approval for established contacts? Are you linking to your privacy policy at the point of data collection? Do you specify the length of time you will retain data? Do you have a system in place to record that consent was received? Do you market to children? If so, you may need to put an age verification system in place and obtain parental or guardian consent.

  • 6. Review System Security

    Do your website and online transaction processing tools leave your business open to risk? You may need to install an updated system for encryption, psuedonymization, identifying and blocking data breaches and ensuring data security.

Close