The General Data Protection Regulation (GDPR) is aimed at strengthening consumer rights in the digital age by setting strict standards for protecting the security and privacy of personal data. The regulation, which took effect on May 25, 2018, creates a streamlined set of data rules across the 27 countries that comprise the European Union (EU).
The law applies to all companies handling the data of EU residents, even if the company itself is not based in the EU. And with fines for non-compliance as high as 4% of a company’s annual revenue or €20 million, whichever is larger, organizations must know and meet the requirements.
Complying with GDPR requirements.
Complying with GDPR requires a concerted effort on the part of organizations. For starters, here are nine essential GDPR requirements businesses need to consider:
- Familiarize yourself with data collection and processing rules. The GDPR gives individuals several rights regarding how companies handle their data including the right to be informed about how their data is used, the right to access their data and transfer it to other companies, and the right to restrict the processing of their data. It also specifies that personal data must be processed in a lawful, fair, and transparent manner. To comply, your company must obtain consent from the data subject and have valid reasons for using this data. Data can only be collected for specified, explicit, and legitimate purposes. Moreover, companies must only collect the minimum amount of personal data necessary for the intended purpose.
- Ensure data is accurate and updated. Companies must ensure that any personal data they process is relevant and up-to-date. If data is inaccurate or outdated, they must promptly update or erase that data. Under GDPR, individuals have the right to request that any data inaccuracies be rectified. If your organization receives such a request, you have one calendar month to notify the data subject of your decision to update the data or leave it as is—and inform the individual about the appeals process.
- Store data only for as long as necessary. Organizations are required to store data that identifies a data subject only for as long as needed to achieve the intended purpose. To comply with this requirement, your company should set retention policies that define how long different types of data will be kept. You should also implement regular reviews to ensure irrelevant and outdated data is regularly deleted or anonymized.
- Make sure your data protection policy is compliant. The GDPR requires that organizations protect an individual’s data from unauthorized and unlawful processing, and accidental loss, destruction, and damage. It also requires that data protection be implemented “by design and default.” “By design” means that companies must make data protection a priority every time they introduce a new business process or service that uses personal data. “By default” means that the strictest privacy settings must be automatically applied when a customer acquires a new product or service—without the individual needing to make manual changes to strengthen the privacy settings. To comply with these requirements, your organization should review its data protection policy to make sure all data is securely collected, stored, and processed and that it’s only accessible by select employees who need this information to perform their jobs.
- Appoint a data protection officer: The GDPR requires certain companies to hire a data protection manager (DPO) to oversee their organization’s compliance with this regulation. The DPO handles many tasks including training staff about GDPR requirements, conducting compliance audits, and communicating with individuals about their data. The DPO also serves as the focal point with data protection regulators for information about how the business processes personal data. Your company may be required to hire a DPO if it’s a public body or authority or if you process personal data at a large scale. The DPO may be an in-house or outsourced specialist who either works full-time or part-time, depending on your organization.
- Be able to demonstrate compliance. Organizations must be able to demonstrate compliance with GDPR by documenting the data protection policies they have in place. To show accountability, your company should be able to produce contracts with data processors, proof of data protection training programs, and descriptions of the data protection security measures you’ve implemented. You should also be able to list the names of data controllers and DPOs as well as the categories of people within your organization who have access to personal data and how they’re using these resources.
- Quickly report any data breaches. When a security breach occurs that involves personal data, companies are required to report the incident to their country’s information commissioner within 72 hours of discovering the breach. Upon reporting the breach, companies are required to follow a process that involves assessing the severity of the breach, the measures they intend to take to address the situation and any future mitigation strategies to prevent future breaches. Even if your company doesn’t have full information, you must report what you know. And in the case of a serious breach, the public must be notified with undue delay. It’s critical that your organization report any security breach within this timeframe to demonstrate respect for data privacy laws and to limit potential financial penalties.
- Make it easy for individuals to access their data: To ensure compliance with GDPR, companies need to put the right processes into place to efficiently meet individual requests regarding their personal data. Your organization should be able to show each customer the data you are keeping about them, and present it in a format customers can use to transfer it to another company. You should be able to respond to requests to stop processing or delete an individual’s personal data. And you should have a process in place to correct, update, and anonymize incomplete or inaccurate data. Any responses to individual data requests should be made using clear and concise language and must be made within a month of receiving the request.
- Develop an employee training program: To prevent GDPR violations, it’s important that companies educate their employees about GDPR requirements. The best way to do this is to create in-house training programs and webinars that engage your teams and motivate them to follow security policies at all times. These training programs should educate your entire workforce about GDPR rules and principles, the privacy rights of individuals, and the security measures they must take to avoid data breaches. Consider implementing separate training programs tailored for select employees who handle sensitive data and for those who design products and services that handle personal data.
Reducing your data risk exposure.
These nine essential GDPR requirements are intended as a starting place as you begin your GDPR compliance journey. By fully understanding this regulation and comprehensively meeting its requirements, organizations that handle EU personal data can respect individual privacy, reduce their data risk exposure, and minimize their chances of a data breach that compromises their business and results in a hefty fine.
As you work to ensure GDPR compliance, find out how SailPoint can help you to implement an effective identity security strategy that enables you to protect your systems, see who has access to what resources, and informs you when your systems may be under assault.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.