GDPR Compliance
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
How Can You Comply With GDPR?
The European Union’s Global Data Protection Regulation (GDPR), enacted in 2018, has effectively replaced the 1995 Data Protection Directive. It includes a number of key changes that address modern data-driven environments. To comply, organisations must develop specific processes governing internal records and data breach notifications; appoint a Data Protection Officer; allow individuals to access and control what personal data is collected and how it is used; and more. Under the new territorial scope of the GDPR regulation, the law applies to many organisations that sell goods or services within the EU, regardless of where their businesses are located.
New GDPR requirements have created major concerns for data privacy professionals and others working with Governance, Risk, and Compliance (GRC). Organisations that fall under GDPR must embed privacy-by-design concepts across the enterprise, including their product lifecycle, vendor management, and human resources. In addition to a number of other requirements under the new GDPR definition, individuals must be notified of personal data breaches within 72 hours. Failure to comply with GDPR requirements can result in fines of up to 4% of an organisation’s global annual revenue, or up to €20 million, whichever is greater.
What You Need
Privacy by Design
Data protection and privacy-by-default concepts must be part of the launch of all data processing technologies and processes.
Timely Breach Notification
Effective and accessible reporting mechanisms should be in place so data breaches, big or small, can be reported and escalated immediately.
Policy & Procedure Updates
New GDPR requirements need to be operationalised throughout the organisation with extensive and thorough policy and procedure updates and dissemination.
GDPR Compliance Training
Employee risks should be identified and training should be assigned to educate at-risk employees on their new responsibilities under the Global Data Protection Regulation.
Steps You Can Take to Avoid GDPR Fines
Step 1
Make sure internal policy and procedure management capabilities allow you to align the entirety of your workplace with the broadened scope of new GDPR requirements.
Step 2
Manage individual requirements, investigative case management, crisis management, regulatory reporting, and other individual requirements proactively.
Step 3
Implement multiple whistleblower incident management reporting methods including a compliance hotline as well as deploy a comprehensive communications effort to inform employees of their role in identifying and reporting data breaches.
Step 4
Create and roll out a multiyear training programme that trains each employee group on the GDPR topics applicable to their roles and the data they manage.
Step 5
Extend your privacy-by-design standards through your supply chain, garner attestation to policies and identify reporting channels to all vendors and contractors with effective third-party management and due diligence.