New to GDPR The basics explained in one page
GDPR is the new Data Protection Act (General Data Protection Regulation)
-
The GDPR law was passed on May 28th 2018 and brought with it obligations concerning working with personal information
-
These obligations impose new rules on how individuals private data is processed and stored
-
Penalties for non-conforming can be as much as 4 % of Annual Turnover
​
What are the headline points in the act ?
​
-
To store and process personal information a good legal basis for that activity must exist
-
Individuals have new rights which a company is obligated to respond to
-
A Data Protection Officer is required for larger higher volume processors and controllers of data
-
Reporting of breaches is now required to the regulator within 72 hours
-
Data processing systems and process must be designed with protection in mind(Privacy by design)
-
New policies and procedures concerning the above to be implemented reflecting GDPR laws especially Data Subject Rights and breach procedures
-
International safeguards must be applied if data is transferred out of the country
-
Risk Assessments may be required on personal data(DPIA's and LIA's)
-
Documentation of processes need to be in place(Art 30 )
-
Compliant Contracts for your suppliers will need to be in place
-
A review of how you collect consent or opt-in for marketing will be required and if not compliant you may have to stop marketing
-
Data Retention Policies will need to be applied to processes
​
What are the headline items that organisations need to be doing now ?
​
-
A fundamental review of the organisations affected data is required
-
A target operating model will be required to be designed
-
A programme is required to meet the gap analysis identified in the above
-
Vendors will need to be selected to meet the requirements of the data requirements of the act
-
Process policies and procedures will need to be designed to meet the requirements of the act
-
Direct Marketing rules are more onerous as a result of the new obligations and behaviour may need to be altered
-
Data storage locations including third party services providers will need to be reviewed
​
​
Disclaimer. These are the basic headline items there is much more to uncover in the detail. I can help formulate your programme.