Enterprise Risk & Security Management

Strengthening Privacy Protection: Everything You Need to Know about the European General Data Protection Regulation

To protect the rights of citizens in regard to their personal data, the European Union (EU) has adopted the new General Data Protection Regulation (GDPR) that is due to take effect in May 2018. This regulation represents the EU’s endeavor to tighten privacy controls, safeguard the rights of data subjects, and establish trust between consumers and organizations.

The GDPR simplifies the regulatory environment relating to privacy rights for businesses in Europe. All organizations that are based in the EU or process personal data of EU citizens need to comply with this regulation. Organizations should look at the regulation not just as a mandatory activity to ensure compliance, but also as an opportunity to build customer trust and delight.

The paper covers eight key GDPR features and their operational impact.

  • Obtain consent: Organizations must ensure that consent is given by ‘data subjects’ freely, and that it is specific, informed, and unambiguous. 
  • Ensure rights of individuals: The regulation protects the rights of individuals in addition to the existing data protection directive, defining their right to be informed, right to erasure, right to object, and more.
  •  Demonstrate accountability: Organizations must not only deploy effective technical and operational measures to ensure compliance but also be ready to demonstrate these to supervisory authorities.
  • Assess data protection impact: Data controllers must perform data protection impact assessment where processing is likely to result in high risk to individuals.
  • Ensure data protection by design as well as by default: Protecting data by design entails embedding privacy controls throughout the data lifecycle of new projects and systems. Data protection by default requires controllers and processors to implement technical and organizational measures to ensure that they only collect, process, and store data for the intended purpose.
  • Appoint data protection officers (DPOs): DPOs must be appointed for controllers or processors involved in large scale regular and systematic monitoring of data subjects and processing of sensitive personal data or data related to criminal convictions and offenses.
  •  Report data breaches: A data breach must be reported to a supervisory authority, or in some cases, to affected data subjects, within 72 hours of being identified. Controllers should also evaluate the nature of the data breach, categories of subjects affected, consequences, and remedial measures taken.
  • Avoid sanctions: It is critical to ensure stringent compliance as organizations found in violation of this regulation could be penalized by as much as 4% of their global turnover or 20 million EUROs.

The Journey to GDPR Compliance

Organizations need to develop a systematic framework to create a privacy strategy and comply with the GDPR. The journey towards GDPR compliance should start with a thorough assessment of existing policies, processes, and security measures to identify gaps with respect to GDPR requirements. Based on this, organizations can create tactical and strategic roadmaps to prioritize measures and implement them in a phased manner to ensure compliance when the regulation comes into force in May 2018.




Reach Us.