The GDPR simplifies the regulatory environment relating to privacy rights for businesses in Europe. All organizations that are based in the EU or process personal data of EU citizens need to comply with this regulation. Organizations should look at the regulation not just as a mandatory activity to ensure compliance, but also as an opportunity to build customer trust and delight.
The paper covers eight key GDPR features and their operational impact.
- Obtain consent: Organizations must ensure that consent is given by ‘data subjects’ freely, and that it is specific, informed, and unambiguous.
- Ensure rights of individuals: The regulation protects the rights of individuals in addition to the existing data protection directive, defining their right to be informed, right to erasure, right to object, and more.
- Demonstrate accountability: Organizations must not only deploy effective technical and operational measures to ensure compliance but also be ready to demonstrate these to supervisory authorities.
- Assess data protection impact: Data controllers must perform data protection impact assessment where processing is likely to result in high risk to individuals.
- Ensure data protection – by design as well as by default: Protecting data by design entails embedding privacy controls throughout the data lifecycle of new projects and systems. Data protection by default requires controllers and processors to implement technical and organizational measures to ensure that they only collect, process, and store data for the intended purpose.
- Appoint data protection officers (DPOs): DPOs must be appointed for controllers or processors involved in large scale regular and systematic monitoring of data subjects and processing of sensitive personal data or data related to criminal convictions and offenses.
- Report data breaches: A data breach must be reported to a supervisory authority, or in some cases, to affected data subjects, within 72 hours of being identified. Controllers should also evaluate the nature of the data breach, categories of subjects affected, consequences, and remedial measures taken.
- Avoid sanctions: It is critical to ensure stringent compliance as organizations found in violation of this regulation could be penalized by as much as 4% of their global turnover or 20 million EUROs.
The Journey to GDPR Compliance
Organizations need to develop a systematic framework to create a privacy strategy and comply with the GDPR. The journey towards GDPR compliance should start with a thorough assessment of existing policies, processes, and security measures to identify gaps with respect to GDPR requirements. Based on this, organizations can create tactical and strategic roadmaps to prioritize measures and implement them in a phased manner to ensure compliance when the regulation comes into force in May 2018.