If your organization handles any personal information for a resident in the European Union (EU), then you should be aware of the upcoming General Data Protection Regulation (GDPR) going into effect on May 25, 2018, regardless of where in the world your company is located. GDPR significantly increases the obligations and responsibilities for organizations and businesses in how they collect, use and protect personal data. The key factor in the new law is the requirement for organizations to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.
Many of the main concepts and principles of GDPR are much the same as those in the current Data Protection Acts 1988 and 2003. However, GDPR introduces new elements and significant enhancements, requiring considerable work by all organizations and how it processes personal data. Some elements of GDPR will be more relevant to certain organizations than others, and it is important and useful to identify and map out areas that will have the greatest impact on your business model.
Organizations need to respect personal privacy by restricting what personal data they collect and process and by safeguarding that data. Privacy obligations apply to any information, either by itself or used with other pieces of information, that could identify an individual person living in the EU, including items such as:
The main tenets of GDPR that should be followed include:
The protection measures that are in place to secure personal data must ensure a level of protection appropriate to the sensitive nature of the data. As the risk associated with data becomes greater, so should the effort and expense of measures to protect the data. These measures should be regularly reviewed and updated as appropriate. Well-documented records about privacy and security decisions and measures help to show compliance with the requirements. In addition, organizations are legally bound to employ measures, such as contracts and due diligence reviews, to protect personal data when transferring it to external third parties or parties outside the European Union.
In the case of a personal data breach, organizations should report the breach within 72 hours after becoming aware of it. In most cases, organizations are aware of a breach the moment it occurs but it is critical to ensure that the once the breach is identified, the Incident Response Plan is enforced to mitigate the risk as well as normalizing the state of business operations. Failure for organizations to comply with GDPR can result in fines up to 4 percent of its global revenue or 20 Million Euros (whichever is greater), making GDPR one of the most financially costly global regulations in the world.
Doeren Mayhew’s dedicated Information Technology (IT) Assurance and Security Group is comprised of specialists who work closely with organizations across the world to ensure cybersecurity compliance. For more information, contact one of our IT assurance professionals today.
A quick registration is required to view our resources.
You will only be asked to do this one time (unless you don't save your browser cookies).