How Organizations Stay GDPR Compliant

Come May 2020, it will be two years since the mandate of the General Data Protection Regulation (GDPR). As a reminder, the GDPR, comprised of 99 articles, “is a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.” Citizens, in essence, have the right to request the erasure of their data, as well as the choice to opt/in/opt-out of the portability of their personal data.

Born out of the European Parliament replacing the outdated Data Protection Directive (DPD) adopted back in 1995, the DPD was no longer relevant since it did not address how to store, collect, and transfer data in today’s fast-moving digital age.

So, how do organizations stay GDPR compliant? First, they need to have clear consent and justification as it applies to the following data:

  • Personally identifiable information, including names, addresses, date of births, social security numbers
  • Web-based data, including user location, IP address, cookies, and RFID tags
  • Health (HIPAA) and genetic data
  • Biometric data
  • Racial and/or ethnic data
  • Political opinions
  • Sexual orientation

Once they have identified where any of the above information is stored within their company, organizations must have in place a Record of Processing Activities (RoPA). This document shows the exact use of the data, measures in place to protect it, and how it is processed internally. This document may also include where risks exist and a plan to address them.

A data breach response plan is also required. This plan includes steps to report the breach(es) within a 72-hour time frame.  And in today’s day and age, it’s not if you will have a breach, but when. The plan should also be reviewed annually for any changes to internal systems or acquisition of new data.

The GDPR also requires organizations to employ a Data Protection Officer (DPO), who is responsible for maintaining compliance and has expert knowledge of data protection laws and practices.

For companies that do not follow the GDPR, there are several administrative fines to be paid. The less severe can equate to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year (whichever amount is higher). These violations are in the areas of:

  • Controllers and processors
  • Certification bodies.
  • Monitoring bodies

The more severe fines address the right to privacy and to be forgotten and can result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year (whichever amount is higher). These violations are found in the articles on:

  • The basic principles for processing
  • The conditions for consent
  • The data subjects’
  • The transfer of data to an international organization or a recipient in a third country

Individuals also have the right to sue organizations that cause them material or non-material damage, by not adhering to the articles outlined in the GDPR.

Clearly, this is only the beginning for many. As an example, Brazil passed its own data protection law in 2018, the LGPD, slated for implementation this month. For more information on topics such as the use of cookies, the ePrivacy Directive, fines, Brazil’s LGPD February 2020 program, and more, check out the GDPR compliance website.