In the digital age, data privacy concerns have come increasingly to the forefont. Part of the regulatory push to enshrine privacy rights, the General Data Protection Regulation (GDPR), formally known as Regulation (EU) 2016/679, was proposed by the European Commission and was fully implemented in May 2018.
Although it doesn’t require individual legislation, in member states it is a serious regulation with stiff penalties for non-compliance (4-5% of global turnover or €20 million).
The GDPR is not simply just for the EU; it is for any company worldwide that handles and/or exports personal data gathered from EU citizens.
The GDPR focuses on the export of personal data outside the European Union (EU), at the same time strengthening EU citizen’s data protection. In plain terms, with the GDPR, EU citizens will have as much control as possible over their personal data.
For the purposes of the regulation, the European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
In addition, the definition of data consent has been tightened; parental consent will be required for minors; and citizens have the “right to erasure,” meaning anyone can demand that their data is entirely erased from a particular entity. The GDPR also gives a citizen the right to information about, and access to, personal data which is being stored by organisations. It gives citizens the right to make Data Subject Access Requests for the data held by organisations about them.
It’s a broad scope to say the least, which means that companies need to check every aspect of their data collection and storage across every process of their business to ensure compliance.
In order to determine whether a company outside of the EU is bound by the GDPR, it must determine if it stores data of EU citizens. If so, it has to identify the processing, storage and transmission of that data. Then, it needs to obtain and implement the tools and design necessary to ensure full compliance, followed by an audit.
In addition, there’s the crucial decision of appointing a Data Protection Officer for the GDPR, who will have a specific set of tasks and duties that are integral to compliance. While it can be one of your employees, there are strict protocols in place regarding conflict of interest, reportage and more. And they must be followed or there will be fines to face. The other option is a virtual Data Protection Officer, which is a service 100% Security Labs offers.
We can handle every aspect of your company’s GDPR compliance. We have the tools and the team to identify, design, and implement solutions to ensure compliance with all aspects of this important regulation.