The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located. The new data privacy regulation is designed to bring clarity and strengthen privacy rights for EU residents.
- A regulation, not a directive
- (does not require EU member states to enact their own laws)
- Replaces a patch work of laws across the EU, (28-member states and 3 EEA member states)
- Applies to organizations globally who do business with, market products to, and gather behavioral data on EU residents
- Applies to both data processors and data controllers
- Sets fines and penalties
A key objective of GDPR is to take a risk-based approach to data privacy, to help organizations prioritize compliance while maximizing privacy, and effective use of personal data. This will encourage effective methods for ensuring a high level of protection of the rights and freedoms of individuals. It ultimately creates better outcomes and more effective protection for individuals. It enables stakeholders to dedicate resources to the areas where risks and potential harm for individuals are most significant and to mitigate these risks.
An organization must demonstrate that they have implemented appropriate measures to mitigate privacy risks. This includes maintaining and potentially providing regulators with documentation regarding data protections implemented, test procedures, and audit results. Here are a few considerations you can follow to prepare your organization for GDPR.
- Minimize the collection of personal data and ensure the right security controls are in place
- Perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if they transfer data outside of the EU
- Minimize the types of personal data collected from data subjects, and the storage of that data
- Be capable of legally justifying collection of specific types of personal data
- Data Controller must conduct Data Protection Impact Assessment (DPIA) for high-risk processing (As well as the many other GDPR requirements, including data security, privacy by design, breach notifications, legitimate interest, purpose limitation, and fair processing.)
- Controller must keep records of data processing activities
The impact of the European General Data Protection Regulation is global, extending far beyond the EU alone. Security and risk management leaders shouldn’t try to become GDPR compliant alone. You must involve a diverse team to translate requirements and prioritize risk mitigation actions. It is also recommended you seek the guidance and support of a partner well versed in the particulars of the GDPR guidelines. There are a wide range of penalties and substantial damage that can come from non-compliance. Data breaches themselves can lead to substantial monetary and reputational damage. But the GDPR also represents additional consequences for organizations that fail to adequately protect personal data. Companies found in violation of the GDPR can be fined up to 4% of their global annual revenue or 20 million Euros, whichever figure is highest. It is crucial for security and risk professionals and business leaders to identify all business processes impacted by the GDPR.
It’s Not Too Late
Lynx Technology Partners has extensive expertise guiding organizations through the GDPR compliance process from both the US and European perspective (very different). Lynx can perform a Data Protection Impact Assessment (DPIA) and work alongside your multidisciplinary team to navigate GDPR adherence. If GDPR Applies to your organization, schedule your free consultation with Lynx today!
Schedule your free consultation now!