GDPR tips and information with Spanish Point
From May 25th 2018, a new European privacy law called the General Data Protection Regulation (GDPR) takes effect. The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organisations that market to, track or handle EU personal data, no matter where an organisation is located.
What is GDPR?
A new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
What does the GDPR regulate?
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
Key GDPR Changes
Enhanced Personal Privacy
Strengthened data protection for individuals within the European Union (EU) by ensuring they have the right: to have access to data, to correct inaccuracies, to erase data, to object to processing of their information, and to move their data
Increased duty for protecting data
Reinforced accountability of companies and public organizations that process Personal Data, providing increased clarity of responsibility in ensuring compliance
Mandatory breach reporting
Companies are required to report data breaches to their supervisory authorities without undue delay, and generally no later than 72 hours
Steep sanctions, including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply
How you can get started with GDPR compliance
Given how much work may be involved in preparing, you should not wait until they begin enforcing the regulations in May 2018. You need to begin reviewing your privacy and data governance policies and procedures now. Many organizations take this opportunity to review data strategy and modernize infrastructure. We recommend you begin your journey to compliance with the GDPR by focusing on four key steps:
Identify what personal data you have and where it resides
Govern how personal data is used and accessed
Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
Keep required documentation, manage data requests and breach notifications