AlohaX System

Contact us

What Is GDPR? Top 4 Compliances

What Is GDPR

What Is GDPR: What you should know about the General Data Protection Regulation

In May 2018, the European Union’s General Data Protection Regulation (GDPR ) came into force to improve the protection of personal data.

The GDPR   will have a significant impact on organizations and how they handle data , with potentially very large penalties for companies that suffer a breach,  reaching up to 4% of global revenue .

GDPR  directly impacts the storage, processing, access, transfer, and disclosure of an individual’s data records and affects any organization  worldwide that processes personal data of individuals from the European Union.

1. What is GDPR, who does it apply to, and what information does it cover?

The General Data Protection Regulation (GDPR) (Regulation 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU .

The GDPR’s main objective is to give citizens and residents control over their personal data and simplify the regulatory environment for international business by unifying regulations within the EU. When the GDPR comes into effect, it will replace the Data Protection Directive (officially Directive 95/46/EC) of 1995. The Regulation was adopted on 27 April 2016.

It became enforceable on 25 May 2018 after a two-year transition period and, unlike a directive, does not require national governments to pass enabling legislation; it is therefore directly binding and applicable. 

The proposed new EU data protection regime extends the scope of EU data protection law to all foreign companies that process data of EU residents. It harmonizes data protection regulations across the EU , making it easier for non-European companies to comply; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of global turnover .  

Why was the GDPR drafted?

There are two reasons behind the GDPR. First, the EU wants to give people more control over how their personal data is used , given that many companies like Facebook and Google trade access to people’s data for the use of their services. Current legislation was enacted before the internet and cloud technology created new ways to exploit data, and the GDPR seeks to address that. By strengthening data protection laws and introducing stricter enforcement measures, the EU hopes to improve trust in the emerging digital economy. 

Secondly,  the EU wants to give companies a simpler and clearer legal environment in which to operate , by making data protection law identical across the single market (the EU estimates this will save companies a collective 2.3 billion euros per year).

So, who does the GDPR apply to?

Data controllers and data processors must comply with the GDPR. A data controller indicates how and why personal data is processed, while a processor is the party that performs the actual data processing. Therefore, a controller could be any organization, from a for-profit company to a charity or a government. A processor could be an IT company that performs the actual data processing.  

Even if the controllers and processors are outside the EU, the GDPR will still apply to them as long as the data belongs to EU residents.

It is the controller’s responsibility to ensure that their processor complies with data protection law, and processors must adhere to the rules for maintaining records of their processing activities. If processors are involved in a data breach, they are significantly more liable under GDPR than they were under the Data Protection Act. 

What is personal data under the GDPR?

The EU has substantially broadened the definition of personal data under the GDPR. To reflect the types of data organizations now collect about individuals, online identifiers, such as IP addresses, are now considered personal data . Other data, such as economic, cultural, or mental health information, are also considered personally identifiable information .  

Pseudonymous personal data may also be subject to GDPR rules, depending on how easy or difficult it is to identify what the data is.

2. How to prepare for compliance?

The introduction of GDPR is set to put data protection at the top of companies’ priority lists. So how can businesses ensure compliance, and what steps should they take? Let’s look at six steps below . 

Understanding the GDPR legal framework

The first step to ensure compliance is to understand the legislation in force , as well as the implications of not complying with the required standards, by conducting a compliance audit with the GDPR legal framework. 

Part of this compliance audit, regardless of company size, involves hiring a data protection officer to explain the regulations and how to apply them to the business . Ideally, this person should have a combined legal and technological background to understand both the regulatory framework and the technical specifications required for compliance. Since every organization is unique, the path to GDPR compliance will also differ. The leadership within the business needs to tailor its approach accordingly.   

Create a data record

What Is GDPR? Once companies have a clearer understanding of their readiness to comply with regulatory requirements, they must keep a record of the process . This should be done by maintaining a Data Register—essentially a GDPR journal. Each country has a Data Protection Authority (DPA), which will be responsible for enforcing the GDPR.  

This organization will judge whether a company has complied with the requirements and determine any potential penalties  for non-compliance. If a violation occurs during the initial implementation phase, the company must be able to demonstrate its progress toward compliance to the DPA through its Data Log. 

If there is no evidence that the company initiated the process, the DPA could impose a fine of between 2% and 4% of a company’s turnover, depending on the sensitivity of the data breached. The nature of the data could allow the DPA to issue the fine much more quickly.

Classify the data

This step involves understanding what data companies need to protect and how they are currently doing so. First, companies must identify personally identifiable information (PII) —information that can directly or indirectly identify someone—of EU citizens. It is important to identify where this information is stored, who has access to it, with whom it is shared, and so on.  

Next, they can determine which data is most vital to protect, based on its classification . This also means knowing who is responsible for controlling and processing the data, and ensuring that all the correct contracts are in place.

Start with the top priority

Once the data has been identified, it’s important to begin evaluating it, including how it’s being produced and protected . With any data or application, the first priority should be protecting user privacy . When looking at most private data or applications, companies should always ask themselves if they truly need that information and why. This data is always of greater value to a hacker and therefore carries the greatest risk of being compromised.  

Companies must complete a Privacy Impact Assessment (PIA) and a Data Protection Impact Assessment (DPIA) for all security policies, evaluating data lifecycles from creation to destruction . It is important to remember, when doing so, the rights of EU citizens, including data portability and the right to restrict processing. The “right to be forgotten” is also one to consider as part of the GDPR.

This is third-party data that can be used to identify someone and must be deleted upon request. It is vital that this data is properly destroyed and inaccessible.

From this point, companies need to evaluate their data protection strategies—exactly how they are protecting data (for example, with encryption , tokenization, or pseudonymization)  . This should focus on the data being produced, the data that has been backed up—whether in-house or in the cloud—and the historical data that can be used for analytical purposes.

Companies must ask themselves how they are anonymizing this data to protect the privacy and identity of the citizens with whom they interact . It should always be kept in mind that data must be protected from the day it is collected until the day it is no longer needed, and then it must be destroyed properly.

Evaluate and document additional risks and processes

Apart from the most sensitive data, the next stage is to assess and document other risks, with the aim of finding out where the business may be most vulnerable during other processes . 

It is vital for companies to maintain a roadmap document to show the Data Protection Officer (DPA) how and when they will address these outstanding risks. These actions demonstrate to the DPA that the business is taking compliance and data protection seriously.

Review and repeat

The final step involves reviewing the results of the previous steps and correcting any deletions, modifications, and updates as needed . Once this is complete, companies should determine their next priorities and repeat the process from step four.

3. Master Data Management can be your ally

The transition to full compliance with the legislation will be neither easy nor cheap, but  if companies choose to view this period of change as an investment in their data management, they could benefit from this process .

Master Data Management  (MDM) is the foundation that can make the transition to GDPR much smoother and can even add business value that goes far beyond GDPR .

GDPR and MDM, how are they connected?

Many companies still maintain their customer data in siloed systems across multiple departments, regions, and systems . The problem with this is that it often leads to duplicate, incomplete, or conflicting information, with some sources being updated while others are left in silos and become increasingly obsolete.    

The key to GDPR compliance is for organizations to break down these data silos. First, they must ensure that the personal data they store and the processes involved are accurate and up-to-date. Second, all associated data must be identified, and the company must know where the data is stored, what it is used for, and who has access to it. 

That’s precisely what MDM does . Customer MDM creates a single source of truth for customer data. It does this by combining technology, processes, and services to establish and maintain an accurate and complete representation of each customer across multiple channels, lines of business, and companies—typically from numerous associated data sources derived from multiple application systems and databases.

How can MDM support GDPR efforts?

There are many situations you are likely to encounter under the new regulations. Here are some examples:

  • Data breach . You will need to report any breach to the supervisory authority, as well as possibly inform the affected individuals, but to do so, you must be able to answer some basic questions.
    • Who exactly is affected?
    • How are they affected?
    • What is the role of the company?
    • Who currently has access to the data?
    • What do you need to do to contain the violation?
    • How can we prevent it from happening again?
  • Individuals exercising their new data rights . If any individual requests to see their data, you must provide it in a readable format. If anyone requests that their data be erased (exercising their “right to be forgotten”), you must delete all of their data. This means not only canceling their marketing subscription but deleting everything, including metadata. If anyone requests that their data be corrected or completed (exercising their “right to rectification”), the organization is obligated to do so immediately, while ensuring that there are no outdated or conflicting duplicates of that individual’s data profile stored elsewhere.
  • Managing individual consents . You need to have complete control and be informed about who has consented to what. In the case of children under 16, this becomes even more urgent and complex. Managing consent requirements demands strict data workflows and data business rules, as well as a clear data governance framework .  
  • Limitation of data storage . Under the GDPR, you must ensure that all personal data is kept in a format that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Submitting documentation to the authorities . Upon request, you must be able to document compliance with all legal aspects of the GDPR. This requires well-organized and reliable data. The GDPR text requires you to “implement appropriate technical and organizational measures” to be able to “demonstrate that processing is carried out in accordance with this Regulation.”

Addressing all these aspects effectively and with minimal risk boils down to data quality , data processes, and the organization’s data governance framework. An MDM platform should not be considered a complete GDPR solution, but it establishes the basic foundation for GDPR requirements and, in doing so, smooths the transition to these new regulations.  

4. Best practices for GDPR compliance

Understanding the definitions of data protection

The main definitions in the current law will generally remain unchanged under the GDPR. If you have a good understanding of concepts like “personal data,” “sensitive personal data,” etc., you can apply them to your understanding of the GDPR. 

However, there are some caveats . For example, “sensitive personal data” now includes biometric and genetic data, but excludes criminal convictions. Furthermore, data processors now have legal obligations under the GDPR, and organizations need to understand what those responsibilities are and distinguish them from the obligations of data controllers.

Know your processing terrain

The processing basis your business currently relies on will likely be the same as under the GDPR . “Legitimate business interest” remains a valid concept under the GDPR. However, you must be careful to ensure it’s being implemented correctly, as the GDPR imposes new and more stringent obligations . 

For example, processing based on legitimate interests must be weighed against the rights of the data subject, and companies must explain why they believe their legitimate interests are not overridden by the data subject’s interests. The GDPR also clarifies that “affirmative consent” is required for consent to be valid . In other words, silence, pre-ticked boxes, or inactivity can no longer be interpreted as consent. Data protection authorities will view companies that ostensibly process consent negatively. 

Learn about our high-risk activities

Under the GDPR,  organizations must adopt a risk-based approach to data processing activities . Regarding security, there is an obligation to conduct a privacy impact assessment to determine the level of risk associated with a given activity. In practical terms, this generally means that a company needs to evaluate all its activities to identify those that pose a high risk—a potentially lengthy process . 

Knowing when to report a violation

If you process data within the EU and a data breach occurs that could result in harm to data subjects, your organization is legally obligated to notify the local Data Protection Authority . However, not all breaches require notification, and the deadline (72 hours) could be very difficult to meet . It’s essential to review your breach management procedures to be sure. 

Knowing the rights of those affected

All current rights of data subjects will remain in place, and most are being expanded . To manage these rights, you must focus on providing accurate and detailed processing notices, streamlining data subject access requests, ensuring efficient procedures for handling “rectification and erasure” requests, and restricting processing when a data subject has raised a rectification request that has not been resolved . 

Get to know our profile

Profiling is a form of automated decision-making based on personal data . Those affected do not have the right to avoid being profiled, but they   do have the right not to be subjected to a decision based solely on automated profiling.

There are numerous guidelines regarding the profiling of stored data . These include the need to: 

  • Notify the affected party at the time the data is collected that profiling will take place, the logic behind the creation of those profiles, and the expected consequences of the profiling.
  • Respond to those affected who are interested in knowing if they have been profiled and the consequences .
  • Have the automated decision reviewed by a human if requested by the interested party.

Understanding international data transfers

Companies with subsidiaries both inside and outside the EU should take note of the inclusion of Binding Corporate Rules (BCRs) in the GDPR . These rules provide a mechanism for transferring data within a company worldwide. Given the current threats to other mechanisms such as standard contractual clauses and the Privacy Shield, BCRs will be an attractive option for many companies after May 2018.

Categories:

Latest Posts

Categories

Tags

Cloud hosting Find a web developer tailored to your project Finops free how to build a website free website how to create Hello world how can i build a website how can i build a website for free how can i create a website for free how can i make a website for free how can you create a website how can you make a website how do i build a website how do i build a website for free how do i create a website for free how do i make a website for free how do i register a domain name how do you build a website How do you choose your web developer how do you create a website how do you create a website for free how do you make a website for free how to build a website how to build a website for free how to construct a website how to create a website how to create site how to free website create how to host a site How to host website how to host your website how to make a site for free how to make a web page for free how to make a website for free How will the app work ISO certificates Monetization Tools softawre softwar software Uganda Leading ISO Certification Consultancy web developer near you What do you want to develop What is a web developer Why hire a remote web developer