GDPR enforcement begins May 25, 2018 and it is imperative to start ensuring you are GDPR compliant now.
Below is some information on what GDPR is, the myths surrounding it, and how you should approach GDPR.
6 Things GDPR is:
A total Data Protection Game Changer
- Global Applicability – applies to organisations anywhere who control or process EU citizen data.
Applies Equally in all EU member states
- As a regulation, the GDPR is directly effective, and does not leave room for jurisdictional interpretation of all its rules.
Legislation with teeth
- For Irish organisations, this is a whole new world. The current Data Protection Act lacks the teeth to really punitively effect wrongdoers. New powers will be given to the Data Protection Commissioner to impose fines to a maximum of 4% of turnover/€20 million. Individuals will also be entitled to claim for compensation where they have suffered a loss.
Encouraging of a risk based approach to systems, strategies, product development etc.
- The fundamental rights and freedoms of individuals to privacy must be balanced against the operations of the organisation. Risk Assessments and in-built privacy considerations are to factor in every new approach taken by organisations.
Making Organisations Accountable
- The requirements for Data Protection Office, Mandatory Breach Reporting and documenting compliance are pushing the onus on the data controllers and processors to prove they are taking individuals’ fundamental rights seriously.
Long over due!
- Privacy has never been so challenged and technology has never been so advanced. Legislators are finally catching up!
6 GDPR Myths:
GDPR Compliance Approach
High level approach to achieve GDPR Compliance:
Cleanse
- Review all databases and cleanse out data which is old, inaccurate and no longer relevant.
Map
- Map out how the data is collected, (identifying the legal basis), where data is being received, where it goes, where it is stored, when it used and who it is shared with to identify a clear picture of all data collection points and activities which may need attention for changes towards compliance.
Update
- Privacy policies and contact forms may need updating to ensure you are informing the user of their rights, advising on your specific data activities and only collecting data within the regulation means of the GDPR.
Re-Permission
- Existing databases are not exempt from the regulation and organisations need effective strategies and campaigns to re-engage contacts and gain the correct consent for continued processing activities.
Track
- There are many great consent management systems which make tracking of consent easy and clear. This is especially important as you may need to prove consent when requested. It also makes changes to these activities faster and simpler to implement.
Audit
- With continued evolving of your business and data processing activities you should regularly audit the processes in steps 1-5 to ensure your methods are still effective and compliant