Key Steps for GDPR Compliance
It’s coming…are you ready?
On 25 May 2018, the European Union General Data Protection Regulation (GDPR) takes effect. It is the first comprehensive attempt at establishing data compliance standards across national economies. It establishes timelines to notify users of data breaches, penalties for non-compliance, and details specific rights for citizens to access their own data and understand why it’s being collected, processed, and stored.
Steps to Succeed under GDPR
GDPR mandates organizations to design and implement data protection into systems and processes. They must identify and secure this data across the data lifecycle: from collection and processing to storage and erasure. Organizations will now be held responsible and accountable by policies that protect PII (Personally Identifiable Information) rights. Under GDPR, organizations must provide for these conditions and stipulations (click the links to go directly to the GDPR website pages on these topics):
Before organizations collect data, they must provide data subjects with “concise, transparent, intelligible, and easily accessible” information regarding the data collected. This information must be clearly communicated and in writing (by electronic means if appropriate.)
Article 37 stipulates the designation of a Data Protection Officer (DPO), and Article 38 defines the position’s duties, including the following:
- Oversees all issues relating to personal data protection.
- DPOs must understand data subject rights under GDPR and be accessible to answer individuals’ questions regarding organizational processes and the exercise of individual rights.
- The DPO shall report directly to the highest management level of the data controller and data processor.
Organizational data processes must be documented. When the nature and scope of this processing results in high risk to the data subject, the data controller must produce an impact assessment, specifically under the following conditions:
- Automated processing of personal data informs legal or other significant decisions
- Large scale processing of criminal data and Article 9-protected data (e.g., race, political opinion, religion, trade union membership, genetic, and health data)
- Systematic large-scale monitoring of a publicly accessible area
- Breach Reporting
Articles 33 and 34 require breach notifications to supervisory authorities (“not later than 72 hours” of awareness) and data subjects (“without undue delay”). Organizations must provide the name and contact information for the DPO (or other designated contact), describe the probable consequences of the breach, and detail the measures taken to address the breach.
Controllers are obliged to erase data subject information when the following conditions are met:
- Personal data is no longer necessary relative to the reason it was originally collected.
- Data subject withdraws consent, and there is no other legal ground for processing.
- Data subject objects to the processing per Article 21.
- The data has been unlawfully processed.
- To comply with European Union or member state regulations.
How Can FileFacets Help?
Compliance with GDPR is not optional, and noncompliance results in financial penalties (up to 4% of annual global turnover or £20 million, whichever is greater).
FileFacets provides the platform and methodology to help businesses comply with the EU’s GDPR. With years of experience in information governance, FileFacets help you understand and meet the requirements.