The GDPR requirements are aimed at consolidating and strengthening personal data protection for EU citizens.
The General Data Protection Regulation (GDPR) replaces a patchwork of data privacy regulations, creating a unifying data protection framework for the 28 countries within the European Union (EU) — a change that many experts believe is long overdue. In a nutshell, GDPR requirements increase the protection of personal data of the EU residents.
Here are the key components of GDPR and what they mean for corporate compliance.
European Regulation With Global Implications
While GDPR is a European regulation, it covers businesses that operate in the EU and process personal data of EU citizens. GDPR comes with stiff penalties for noncompliance — up to 20 million euros or 4 percent of global revenue, whichever is the greater amount, reports EUGDPR.org. Regulators also possess the ability to impose compliance orders or issue a halt to personal data processing by an organization in violation of GDPR.
A Shift From Static to Dynamic Data Compliance
Instead of requiring organizations to submit data to a government agency to certify their approach to data privacy, GDPR shifts much of the burden to businesses to demonstrate compliance by conducting internal assessments and documenting their findings. In addition, in certain circumstances, GDPR requires the appointment of a data protection officer.
Privacy and Security by Design and Default
Article 25 of the GDPR requires organizations to embed the tools and tactics needed to support security and privacy into the early design phases of their products and services. GDPR also recommends the use of pseudonymisation, which replaces personal data elements with pseudonyms and data minimization. This in turn means limiting to collection, storage and usage of data to the minimum needed to accomplish a particular purpose.
Mandatory Data Breach Reporting Requirements
When an organization uncovers a breach of personal data, they must notify the relevant authorities within 72 hours. If notification takes longer than 72 hours, organizations must provide a justification for the delay. There is an exception to the need to report the existence of a personal data breach if it "is unlikely to result in a risk to the rights and freedoms" of individuals covered under the directive.
Transfer of Personal Data
GDPR makes it easier to transfer personal data from the European Economic Area (EEA), assuming appropriate safeguards exist to protect it. Under existing requirements, organizations can't transfer data outside of the EEA unless "adequate" protections exist, or the European Commission approved that country as a destination. That's in addition to the requirements that some businesses must satisfy with their home nation's data protection authority.
Under GDPR, organizations can also transfer data out of the EU if binding corporate rules exist, meaning that a group of organizations has one set of policies in place, approved by data regulation authorities, that protects data as if the data was processed in the EU. In addition, GDPR allows organizations to transfer data pursuant to model clauses adopted by the EU. However, a court case in Ireland calls into question the validity of such clauses.
Compliance With GDPR Requirements
With 99 articles and 172 recitals, GDPR represents a major departure from existing data protection regulation. The first step toward compliance requires an assessment of your organization's ability to comply with relevant components of the directive. By conducting a current state assessment of your organization to protect data under GDPR, you can uncover gaps in the people, processes and technology needed to do so.
Next, develop remediation plans as well as responsibility for ensuring their success to a task-force, led by a senior executive. Document your efforts to close the gaps, and deploy regular testing mechanisms to ensure the elements of your data protection program functions as designed. And make sure to adopt a rigorous continuous improvement mindset that generates a document trail associated with your organization's efforts to comply. Such evidence may prove useful if subject to regulatory oversight.
For more information, watch the Workplace Compliance Spotlight webinar, GDPR: Need to Know Details for Compliance.
Stay up-to-date on the latest human capital management insights for finance leaders: subscribe to our monthly e-newsletter.
SIGN UP FOR THE BOOST NEWSLETTER