What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU – from Wikipedia
Is it applicable to you?
Compliance is now a reality. It applies to all businesses (for Data Controller and for Data Processor, located anywhere in the World) if you are dealing with information related to EU citizens There is a hefty fine for non compliance and it can go upto Euro 20 Million.
Obligations under GDPR
- Privacy of user data: People have a right over who can collect their personal information, how it is used and how long it can be retained. Personal data definition now also includes genetic data, profiling information, IP address and data in cookies.
- Data Security: Businesses needs to have highest-possible privacy settings by default. All personal data must be stored using pseudonymisation or full anonymisation. All usage of personal data must be with user’s consent (includes voice / video recording).
- Data Control : Businesses need to appoint Data protection officer (DPO), who is responsible for managing compliance with the GDPR.
- Reporting : All instances of data breaches must be reported within 72 hours if it is going to affect the privacy of user data
On one hand GDPR is a compliance issue. However if you really think about it, it is a step towards winning customer’s confidence. People will like to deal with only GDPR compliant business. So it is a way to gain competitive advantage in the global marketplace.
How can we help you in becoming GDPR Compliant?
- Conduct a Gap Analysis for your present data protection compliance process and that required under GDPR.
- Create an organisation wide awareness program about what constitutes personal data.
- Conduct a Data Protection Impact Assessment (DPIA) and a Information Security gap analysis.
- Based on that we will design a strategy for your company to comply with GDPR.
- Facilitate creation of mechanism for ensuring data protection by reviewing third party contracts and develop an accountability framework for the same.
- Create an operational structure for complying with data protection regulation.
- Periodic risk assessment and steps to minimise your risk.
GDPR compliance frameworks
Organisations that do not already have a privacy compliance framework can use a standardised framework to demonstrate GDPR compliance. There are currently two recognised standards or frameworks that could be used:
- BS 10012:2017 compliant personal information management system (PIMS). Use BS 10012 to implement best practices for personal data protection and provide a framework for GDPR compliance.
- ISO/IEC 27001:2013 compliant information security management system (ISMS). Achieve accredited certification to ISO 27001 and demonstrate that your organisation follows information security best practices.
Sanver E-Solutions has access to GRC Consultants and Auditors who can provide not only GDPR Compliance but go beyond and provide comprehensive Cyber Security compliance & solutions.