What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation drafted by the Council of the European Union with the goal of strengthening and unifying data security across the EU. The aim of the GDPR is to protect all EU residents from privacy and data breaches as the number of data breaches and exposed individual records is growing exponentially since 2005.
GDPR regulates the processing of personal data of individuals residing in the European Union, and it applies to both public and private organizations, regardless of whether the processing takes place in the EU or not. GDPR protects any information that can be linked to an identifiable individual such as search-engine entries, employee authentication, payment transactions, closed-circuit-television footage, and visitor logs.
The information can be in any format (structured or unstructured) and can be transferred in any medium including online, offline, or backup storage.
The GDPR contains 99 articles and is comprised of four components:
- A set of data protection principles outlining the main responsibilities for organizations under the new policy.
- A list of rights for EU citizens that organizations hosting their personal data must adhere to.
- Provisions that promote accountability and governance. This means that organizations are expected to implement comprehensive governance measures to ensure transparency.
- The obligation to disclose breaches to the relevant supervisory authority within 72 hours, and in some cases to the individuals affected.
- Right to access: data subjects have the right to obtain information as whether or not their information is being collected, where and for what purposes.
- Right to be forgotten: data subjects have the right to request personal data to be erased, ceased from further dissemination, and stopped from processing by third parties.
- Data portability: data subjects have the right to transmit their personal data to another organizations; no institution or organization has data ownership.
- Breach notification: all organizations are required to notify customers and controllers about a data breach within 72 hours of first having become aware of the breach.
- Privacy by design: organizations are legally required to include data protection when designing their systems.
- Data protection officer: DPOs are created to monitor compliance, inform and advise on obligations, and serve as a direct link between data subjects and other authorities in each member states.
- The regulation applies to all organizations processing the personal data of data subjects residing in the EU.
- The location of your organization does not matter.
- If your organization breaches GDPR, you can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Many considered the 2018 as the grace period for enforcing the GDPR. The regulators have clarified parts in the GDPR that have not been clear enough in the beginning. As a result, multiple adjustments have been made to better clarify the regulations. 2019 will be, therefore, the year of enforcement where organizations will either comply with the law or face high fines imposed by the European Commission. The European Data Protection Supervisor Giovanni Buttarelli stated in a 2018 Reuters interview: “I expect first GDPR fines for some cases by the end of the year 2018. Not necessarily fines but also decisions to admonish the controllers, to impose a preliminary ban, a temporary ban or to give them an ultimatum”.
WCG can help you avoid fines and become compliant
- 95,180 individuals submitted complaints to Data Protection Authorities.
- 30,000 complaints were only submitted from December 2018 to January 2019.
- 41,502 data breach notifications by organizations.
- The major fines under the GDPR include €50 million imposed by the French CNIL (French administrative regulatory body) on Google for violations of the GDPR’s transparency and consent requirements.
Do you know your compliance status with the GDPR? WCG can help you by providing
- GDPR Compliance Assessment: WCG conducts compliance tests to identify the potential gaps and vulnerabilities within your current personal data infrastructure and we provide recommendations for improvement to ensure you are in alignment with the GDPR regulation. This service will position your organization to better protect data and have effective operational procedures for handling data safely. This compliance assessment also includes:
- Data Privacy Assessment : WCG analyzes your organization’s data privacy management program, conducts privacy impact assessment (PIA), and develops a strategy for implementing privacy controls that are compliant with GDPR requirements. After working with us, your organization will be in a better position to secure and manage personal data against potential risks.
- Data Mapping: Under GDPR Article 30, organizations must map their information and data flows, and demonstrate where personal data are collected from the data subject. WCG deploys your organization’s data maps that will illustrate the flow of personal data and enable you to effectively assess your privacy risks and become part of your required Article 30 documentation.
- Mandatory GDPR Documents: WCG develops the mandatory documents an organization must have in place under the GDPR regulation. This includes the principles, responsibilities, and commitments an organization must implement in their practices to be compliant under the law. Some of the documents included but not limited to are the GDPR policy, data retention policy, processing activities, data subject consent forms, data breach forms and even standard contractional clauses. These standards are not optional and if not handled properly, fines and legal actions will commence.
- Incident Response Management: WCG reviews, revises, and refines your incident response policy, plan, processes, and procedures to ensure they align with the GDPR articles. We enhance your incident response capabilities, including your breach notifications, which allow you to better identify, protect, detect, and respond to any potential and/or actual personal data incidents. Organizations that have used this service have become more proactive and better prepared to handle potential privacy breaches or legal disputes.
- Data Life cycle Management: WCG works with your organization to develop viable mechanisms for identifying and managing new personal data being processed and used. We help you to develop strategies to appropriately determine data storage, security, handling, and transmission. We work with you to develop appropriate checkpoints and controls to ensure ongoing GDPR compliance. After working with us, data security threats are mitigated and minimized making your data life cycle resilient.
- Data Strategy and Governance: WCG develops a comprehensive governance structure designed to function beyond the GDPR enforcement deadline. It is important to examine the security impact of any change to technology, processes, or personnel and to mature your organization’s approach of embedding privacy and security into all business activities. After working with us, your organization will have proper data governance and will be able to employ appropriate collection, authorized use, access, security, destruction, and privacy techniques at every stage of product development.
- Policy Management: WCG analyzes, reviews, and refines all relevant policies to ensure consistency with GDPR requirements. We will help you develop policies that enable your organization to better manage the rights of data subjects, the legal basis of all held data, and the agreements between you and third-party vendors, suppliers, and partners. Policies are intended to be long-term and often help guide the development of rules to address specific situations. Organizations that have used this service have improved their ability to consistently align personal data management policy with overall business strategy.
- Reduce the privacy risks of data management.
- Reduce the chance that the organization or its staff or customers will suffer financial or reputational harm.
- Achieve competitive advantages by reflecting the importance the organization places on protecting personal data thereby earning trust.
Contact us today. Our experts are here to help you avoid fines and ensure compliance.
We will help you develop policies that enable your organization to better manage the rights of data subjects, the legal basis of all held data, and the agreements between you and third-party vendors, suppliers, and partners.
Our goal is to ensure that our clients are compliant, secure, and protected so that their customers will also feel assured. WCG is committed to assisting organizations as they work to meet the requirements of the GDPR ahead of May 2018 and beyond.