What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a revolutionary change in Data Protection and will in all likelihood become the de-facto gold standard for Data Protection regulation globally. This regulation was adopted on April 14th 2016 and after two years it was finally enforced on 25th May 2018  The two most significant areas in the regulation relating to Accountability and Enforcement.

  1. Accountability: The GDPR requires that the controller is responsible for making sure all privacy principles are adhered to. Moreover, the GDPR requires that your organization can demonstrate compliance with all the principles.


  1. Enforcement: The member state Data Protection Authorities (DPAs) must rigorously enforce the Regulation by issuing substantive penalties where organizations cannot adequately evidence compliance with the GDPR accountability principle. The main task of these National authorities to monitor the application of the Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.


There are many organizations such as those in finance and healthcare sectors, these organizations are already familiar with dealing with regulatory requirements. However, many other industries are bound to struggle with the implementation of these regulations. The enforcement day of May 25th, 2018 is approaching quickly, and action needs to be taken by organizations within the scope of the GDPR. They can hire someone who is an expert and has  gdpr certification  to tackle these things.

The important changes in the General Data Protection Regulation are:

  • It applies to data controllers and data processors operating in the EU and those companies which process the personal data of data subjects residing in the Union, regardless of the company’s location.


  • Consent statements must be as easy to revoke as it is to give; consent for minors must be given by their parents or guardians.


  • All individuals must have the right to revoke and erase their data without any delay and without any additional cost


  • The individual has the right to transfer his data from one controller to the other controller.


  • Data controllers and data processors who are responsible for handling the data will be held responsible in case of all breaches.


  • Privacy must be made a priority for all businesses and shall be included in the systems and processes by design.


PHASE I: Prepare
  • Obtain the buy-in of key business stakeholders


  • Establish your GDPR readiness program team


  • Identify and assess relevant business functions


  • Identify and assess in-scope Third Party Processing activities


  • Establish a central Personal Data register Distribute updated Data Protection policies and Privacy Notices


  • Educate internal Personal Data Handlers and external Data Processors


PHASE II: Operate

 

  • Disseminate and maintain external Privacy Notices


  • Justify and record lawful Processing mechanisms


  • Process and record Data Subject rights requests


  • Validate and record Third Country data transfers


  • Report and manage Personal Data Breach Incidents


 

PHASE III: Maintain

 

  • Evidence understanding of Data Protection policies


  • Ensure the ongoing integrity and quality of the Personal Data Processing register


  • Trigger impact assessments for business change events


  • Verify compliance of Third Party Personal Data Processing activities


  • Demonstrate effectiveness of Personal Data handling practices