GDPR or General Data Protection Regulation, is a set of rules designed for giving EU (European Union) and EEA (European Economic Area) citizens power over how their personal data is collected and used online. The aim of the GDPR is to simplify regulatory environment for businesses so that businesses as well as citizens in the European union can take benefit from digital economy. The demand of GDPR is greater accountability as well as transparency from organizations regarding how they collect, store and process personal information online.
Steps for GDPR compliance requires
- Establishing accountability as well as governance framework
- Brief management of GDPR risks as well as benefits
- Management support for GDPR compliance project
- A director who will be responsible for GDPR
- Plan as well as scope your project
- Appointing as well as training project manager along with DPO
- Identifying entities which will be in scope
- Conducting data inventory as well as data flow audit
- Assessing data categories as well as lawful basis of processing
- Data flow must be mapped within the organization
- Using data map for identifying the risk in data processing activities as well as whether the data protection impact assessment is required
- Conducting detailed gap analysis
- Auditing current compliance position against GDPR requirement
- Identifying compliance gaps that require remediation
- Developing operational policies and procedures
- Creating a record of personal data processing activities which are drawn from data flow audit as well as gap analysis.
- Bringing data protection policies as well as privacy notices in accordance with GDPR
- Update as well as review employees, suppliers, and customer contracts
- Plan about how to recognize as well as handle data access requests and provide responses within a month.
- Have a process for determining if DPIA is needed
- Securing personal data through the right procedure as well as technical measures
- Ensuring that all policies as well as procedures are in place for investigating personal data breach.
- Reviewing if data transfer mechanism outside EU are compliant.
- Fruitful internal communication with stakeholders
- Employees are required to understand data protection’s importance and be trained on GDPR principles and procedures must be implemented.
GDPR checklist for small businesses
The checklist requires to be taken into account present and past, employees, suppliers and customers.
- You have to reveal types of personal data’s understanding that you hold along with the source from where they are coming
- Identify if one is depending on consent to processing personal data. If it is difficult to identify under the GDPR since the consent might not be clear and explicit, avoid trusting on the consent.
- Security measures as well as policies need to be updated as GDPR-compliant. Broad use of encryption will reduce the probability of a big penalty in case of a breach.
- Be prepared for meeting access requests within a month. Since Subject Access Rights keeps on changing and under the GDPR people have full privilege for accessing their personal data and rectifying whatever is inaccurate.
- Due-diligence on your supply chain must be conducted ensuring that all suppliers besides contractors are compliant to GDPR.
- It is needed for creating fair processing notices describing to people what you are doing with their personal data.
- Decide if there is need to employ a Data Protection Officer (DPO) for carrying out everything in a legal and amicable manner.
Penalties of GDPR
GDPR has a huge penalty structure and the rules are applicable to both processor as well as data controllers in cloud and thus, huge cloud providers aren’t off the hook during GDPR enforcement. Here non-compliance may result to global revenue’s fine of up to 4%.
Some other important points about GDPR
- It’s not necessary for a business to be GDPR certified but at the same time it encourages voluntary certification through voluntary bodies or organizations who are obedient with EN-ISO/IEC 17065/2012
- The deadline of GDPR compliance is May 25th 2018 and there isn’t any grace period for it.
- There isn’t any requirement for timely governmental audits as well as inspection however supervisory authorities have the right for carrying audits.
- GDPR can effect anyone in the economic activity irrespective of the size of business.
- Saga is making an effort to ensure that all its active products are ready for GDPR.
- GDPR requirement supersedes every existing government law regarding data protection for EU member states.
- The UK government is implementing GDPR in new data protection law through data protection bill and will continue to be effective as soon as Brexit takes place in 2019.
Finally, GDPR can also affect any business all over the globe that process individual data in EU. It is necessary to employ representatives in EU for handling GDPR enquiries if it is offering goods as well as services to people in EU along with monitoring their behavior.