The new General Data Protection Regulation (known as GDPR and EU 2016/679) was adopted on the 27th of April 2016 and turns into application on the 26th of May 2018 for all member states. Important to say, it does not require any adoption or acceptance by any local government or parliament and will supersede all current national data protection laws in EU related to personal data protection.
What is “Personal Data“
“Personal Data” is information from which a living individual (“data subject”) is identified or identifiable (by anyone), whether directly or indirectly. This information can be a name, an identification number, home address & other location data as well as information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
“Sensitive Personal Data” are also addressed by GDPR, as are those related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data as well as data relating to criminal offences and convictions.
Why you Care – Why you need to Comply
Here is a list of the most significant provisions by GDPR.
Penalties & sanctions apply: GDPR establishes fines and penalties for data breach and non-compliance that may be up to €20 million or 4% of the annual global turnover of the group the organization is part of.
Wide Scope & territorial use: DGPR applies to all types of organizations of all sizes, whether private or public, “controllers” or “processors”, that collect, handle, store, process and transfer personal information of EU citizens and individuals within EU in and out of EU territory. It also applies to organizations without EU presence, but who target or monitor EU individuals.
Consent & purpose limitation: a Subject’s consent to process his/er data is required to be collected, documented and be demonstrated upon request. Consent should be provided freely in an afirmative and unambiguous way and related to the specific only use of the personal data, as informed.
Right to Erasure – Restriction of processing – Data Portability: consent may be wihdrawn at any moment, and the indivudual may request his/her data be erased or removed and transferred to other legal entity if there is no other legal limitation to this.
Notification of data breaches: any data breach related to personal information should be reported to authorities and the data subjects within 72 hours from the awareness moment.
Accountability & Privacy be design – Data Governance obligations: organizations need to provide proof and evidences of compliance with GDPR through a data protection by design methodological approach, conducting Impact Assessments and implementing the required controls. This includes minimization in the use / extend of data processed, speciifc policies, encryption & pseudonymization, auditing etc.
Data Protection Officer: in certain cases, a Data Protection Officer is required to be designated by the organization.
Comply in Control in Six Steps
Comply with the GDPR through a smooth and controlled approach by following our “Six-Steps Comply-in-Control” methodology.
Step 1 : Commitment and Awareness
Stakeholders and Management commitment are the most important factors for the success of the effort. Top level commitment and active engagement are required througout such a complex project as DGPR compliance is. Organization’s Project Team formation is an important part of this initial step.
An awareness campaign on GDPR is also to be run at the very early stage of the effort to ensure common language and understanding of participants throughout the project.
Step 2 : Identify
During this step we will apply our methodology for information collection (utilizing workshops, one-to-one meetings and IT-tools-supported data collection if required) to achieve personal data identification and mapping throughout your organization. We will also collect key information including but not limited to : the purpose of and the processes through which data are collected & handled by the organization, their retention period, their use within the organization and/or their exchange and transfer to/from any third parties.
Step 3 : Review Governance
In relation to the data identified during Step 2, an in depth review and assessment of the existing framework for IT Data Governance (including review of existing IT & communication infrastructure, technologies, architectures, management systems in place etc.). We will also review the framework in place by which Personal Data are governed throughout their lifetime within and outside the organization. Step will be accomplished through a number of workshops, meetings and it will provide all the important information for the next gap analysis step.
Step 4 : Analyze Status & Readiness
During this part of the effort we will use all information collected and assess in detail the current status of compliance of your organization against the GDPR requirements. In certain cases where private data are exposed in high risks (as of the regulation criteria), a Privacy Impact Assessment (PIA) might be required to be run. The result will be a detail list of the gaps, risk exposures & non-conformities that have to be attended and managed.
Step 5 : Prioritize and Implement
Remediation plan(s), including prioritization, will be proposed for each of the gaps identified to achieve compliance. Pan(s) may address actions within several areas, including but not limited to :
- Governance & Legal frameworks enhancements (including organization data protection & IT governance an information security framework, policies, data classification, training, set of a Data Protection Officer etc.)
- Operations, Processes & Procedures (may include update of existing / add of new procedures & processes, implementation of management systems and solutions to cover security, continuity, incident management to respond within 72 hours of a security breach, procurement & contract management enhancements etc)
- Technology solutions (deployment of security equipment, loss prevention s/w, cloud & encryption solutions, monitoring & control tools, solutions implementation to erase personal data or transfer to third parties etc.)
The final program to be implemented will be based on management’s decisions.
Step 6 : Monitor and Embed Compliance
Once implementations have taken place, a re-run of the gap analysis effort might be required to ensure that all areas have been attended properly and non-conformities are not in place.
GDPR requires also that organization must ensure their continuous compliance with it. This can be achieved by implementing a monitoring and management system to support the established compliance and may include activities as internal and external auditing, periodic reviewing and assessments. Through our services we can continuously support your organization and help you ensure that GDPR requirements are fully embedded within your organizations daily life.