The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, be it data of residents or visitors.
The GDPR has made profound changes to the understanding of privacy, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization's total global revenue, whichever is greater. If your organization hasn’t begun the process to ensure compliance, there are certain highly effective steps that you can take immediately to bring your compliance program to life. Below are some of those steps and some advice to get started.
If your organization is late to the GDPR party, chances are there is an awareness issue. Complying with GDPR means taking meaningful actions to change the way your employees use personal data within your business, including being able to respond to incidents and breaches that affect that personal data. The awareness process supports all other processes by explaining, communicating and reinforcing both GDPR requirements and good practice. Therefore, raising awareness of the GDPR at all levels of the organization is imperative.
Classify and Identify Personal Data
Understanding the data that you hold is one of the key steps in understanding how to design a program for GDPR compliance. Your organization should take a multi-disciplinary approach to this process and work with various stakeholders such as business lines, operations, technology, data and analytics departments, human resources and potentially others, based on your business.
You should work to examine and map out your organization’s processes and data flows to identify any data inputs that may be linked to an identified (or indirectly identifiable) person. Where this is the case, the process or procedure handling the data must be identified and inventoried. It is also important to understand that this also applies to paper-based processing of data, for instance, filled-in forms sent in by mail or other paper-based forms. The output of this phase should include business process documentation, data flow diagrams, a personal data register and a data processing register.
Perform a Data Protection Impact Assessment
Taking the output from the previous step into account, performing a Data Protection Impact Assessment (DPIA) should be your next step. GDPR requires that a DPIA be performed in certain cases (e.g., processing of special categories of data, large scale data processing, etc.). A DPIA should be designed in order to describe the data processing, assess the necessity and proportionality of processing of that data and determine compliance with the GDPR requirements. The assessment should also ensure that the risks to personal data are properly mitigated and the safeguards and security measures in place to protect personal data are appropriate in relation to the risk. Any risks to personal data that are not appropriately mitigated should have a risk treatment plan assigned to them and be tracked through remediation.
If you have any questions related to your organization’s compliance with GDPR, please contact Dan Desko at 412-697-5285 or firstname.lastname@example.org.