GDPR is the new European data privacy regulation for the residents in the European Union. The regulation standardises data privacy in the European Union.
From May 25th 2018, companies not compliant with GDPR requirements will incur sanctions.
The Law called Informatique et Libertés was voted on January 6th, 1978. The law was subsequently amended several times.
Organisations can be fined up to 4% of annual global turnover or €20 Million for breaching GDPR.
GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by government, which means it will be in force in May 2018.
GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Rapid technological developments and globalisation have brought new challenges for the protection of personal data.
These challenges include:
- – Increasing Individual Rights;
- – Empowering the business and the organisations processing and holding the personal data;
- – Communicating privacy information.
Establishing Project Team members
Map of personnal data
– Inventory of processing personal data;
– Personal data classification;
– Description of the categories of data subjects;
– Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
– Identify risks;
– Prioritise the level of risk with regards to the rights and freedoms of natural persons.
Protection of the rights and freedoms of natural persons against risks
– Establishing data protection impact assessment;
– Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk between the controller and the processor.
Organisation of internal processes
– Reinforcement of the right to access, to rectification, to erasure and data portability procedures;
– Implementation of policy for the personal data breach to protect the rights and freedoms of natural persons.
Formalization of compliance’s procedures
The 5 key GDPR requirements
To ensure compliance and to be the contact point between the supervisory authorities and the firm.
The DPO must be associated with the different issues and these issues must be related to the protection of personal data.
This is the way to strengthen the security of the information system. The company must be able to detect the failures and fix them.
From the product’s design to the information system, the protection of personal data has to be considered.
The controller or processor should take the necessary measures to ensure compliance with data protection.These measures would be required by the authoriteis.
For the new processing it is necessary to establish a Privacy Impact Assessment. For processing operations which are likely to result in a high risk to the rights and freedoms of natural persons the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.