With fines for non-compliance of up to 4% of a company’s annual global turnover or €20 Million (whichever is greater), and applicable regardless of the company’s location (i.e.: Mauritius). GDPR is a regulation that can no longer be ignored from any companies processing personal data of EU Residents (i.e.: travel agencies, hospitality, banking, health care, insurance, etc.).
This article provides key facts as well as some resources to get started on the road to GDPR compliance.
---
1. Key facts about GDPR;
2. Relevant Definitions;
3. The route to GDPR compliance;
4. Going further.
---
1 - Key facts about GDPR
- GDPR was approved by the EU Parliament on the 14th of April 2016;
- GDPR comes into effects on the 25th of May 2018 and replaces the EU Data Protection Directive 95/46/EC;
- GDPR applies to all companies processing personal data of EU residents regardless of the company’s location;
- Fines of up to 4% of a company’s annual global turnover or €20 Million (whichever is greater) for non-compliance;
- Data breaches likely to “result in a risk for the rights and freedoms of individuals” must be reported to the relevant authorities within 72h of discovery and to their customers “without undue delay”;
- Terms and conditions for consent have been strengthened: They must be affirmative, clear and using plain language;
- EU Citizens will have a right to access a copy of any of their personal data free of charge and in an electronic format;
- EU Citizens will have a right to be forgotten and for his/her personal data to be erased;
- EU Citizens will have a right to data portability and for his/her personal data to be transmitted to another entity;
- Privacy by design and by default must be enforced from the onset of designing systems;
- Data Protection Officers will have to be appointed by companies processing personal data on a large scale or of special categories of data.
2 - Relevant Definitions
- Data controller: An organization that collects data from EU Residents;
- Data Processor: An organization that processes data on behalf of data controller;
- Data Subject: A person who is an EU resident;
- Personal data: “Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (European Commission).
3 - The route to GDPR compliance
The second step is to analyse personal data utilisation within your organisation to get clarity on your organisation’s scope for GDPR compliance.
The third step is to conduct a technical and non-technical assessment to identify relevant data privacy design, procedure and control gaps.
Finally, to demonstrate GDPR compliance, organisations need to document, implement and then enforce controls and procedures that meet the principles of Privacy by Design and by Default as per Article 25 of the GDPR.
4 - Going further
Contact us today for a free consultation at: consulting@elysiumsecurity.com