The European Union General Data Protection Regulation (EU GDPR) is a set of rules governing how organizations that have data controlling, processing, or targeting activities established in the EU must process the personal data of data subjects. The regulation includes consent, retention, transparency, behavior monitoring, breach reporting, and automated processing requirements. GDPR defines responsibilities for organizations, regardless of EU processing location or data subject nationality, that:
- Broaden the definition of personal data to include biometric, genetic, and cultural/economic aspects
- Ensure the privacy and protection of personal data
- Provide data subjects with certain rights and
- Assign powers to regulators to ask for demonstrations of accountability—or even impose signi cant nes—in cases where an organization is not complying with GDPR requirements.
Top 10 Key Requirements
GDPR can be daunting, yet this regulation is not open to interpretation, has no formal certification, and has been implemented uniformly across the entire EU as of May 25, 2018. It is therefore important to grasp these 10 key GDPR requirements:
- Lawful: All processing should be based on a legitimate purpose.
- Fair: Organizations must take responsibility for, and not process data for, any purpose other than legitimate business or record-keeping purposes.
- Transparent: Organizations must inform data subjects—using clear, concise language—about the processing and targeting activities associated with their personal data.
2. Limitation of purpose, data, and storage / Limits on the use of automated processing of data to make decisions – Organizations are expected to limit data processing, collect only that data which is necessary, and not keep personal data once the processing purpose is achieved. Essentially, this means the requirements:
- Forbid processing of personal data outside the legitimate purpose for which it was collected.
- Mandate that no personal data, other than what is necessary, be requested from data subjects.
- Require that personal data should be deleted once the legitimate purpose for which it was collected is fulfilled.
3. Data subject rights / Right to rectify and remove data, / Right to be forgotten – Data subjects have the right to ask the organization what information it has about them, and what it does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data (right to erasure).
4. Consent – When an organization has the intent to process personal data beyond the legitimate purpose for which that data was collected, a clear and explicit consent must be received from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw consent at any time. Also, for the processing of child data, GDPR requires explicit consent of the parents (or guardian) if the child is under the age of 16.
5. Personal data breaches – Organizations must maintain a Personal Data Breach Register, and the regulator and data subject should be informed within 72 hours of any data breach discovery.
6. Privacy by Design – Organizations should incorporate operational and technical mechanisms to protect personal data when designing new systems and processes; that is, privacy and protection aspects should be ensured by default.
7. Data Protection Impact Assessment – To estimate the impact of system changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. This procedure must be followed when a signi cant change is introduced in the processing of personal data. The change could be a new system or routine, or a change to an existing system or routine that alters the way personal data is being processed.
8. Data transfers / Right to move data from one service provider to another – Controllers of personal data have accountability to ensure that personal data is protected and GDPR requirements are respected, even if processing is being done by a third party. This means controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the organization, or to a third party and/or other entity within the organization.
9. Data Protection Officer – When there is significant processing of personal data in an organization, the organization should assign a Data Protection Officer (DPO). When assigned, the DPO is responsible for advising the organization concerning EU GDPR compliance. Learn about RedLegg vCISO program here
10. Awareness and training – Organizations must create awareness among employees about key GDPR requirements, and conduct regular training to ensure that employees remain aware of their responsibilities regarding the protection of personal data, including identification and notification of breaches within the 72-hour window.
GDPR Compliance Requires Dedicated Preparation
To conclude, a significant number of requirements relate to EU GDPR. It is important to understand these requirements and their implications for your company, and to implement them within the context of your organization. Such implementation requires a dedicated effort, similar to running a project: consultation with privacy experts is highly recommended to implement your GDPR program and ensure compliance.
More GDPR resources:
- 3-STEPS TO ESTABLISHING YOUR OWN GDPR COMPLIANCE PROGRAM
- GDPR CHECKLIST: PREPARING FOR ASSESSMENT & IMPLEMENTATION