The European Parliament adopted The General Data Protection Regulation GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU.
Starting on May 25th 2018, all business in the EU will need to comply to the new GDPR regulations, or face sanctions, ranging from a simple warning in writing of non-compliance to up to $20 million EUR or 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
To help you get prepared, here's a quick checklist to survive this new regulation:
GDPR Compliance checklist
1) Awareness and communication
Develop an Information Security Policy so that all employees understand GDPR and communicate with services and staff about why you are collecting data. Develop a culture of privacy within the company, to implement data protection by design and by default.
2) Audit & Analysis of personal data
Analyse and track a list of all sensitive data you store and process, and identify who is responsible for this data. Customer data needs to be retained on servers that are physically located in the EU, even if processed as part of a global product or service
3) Review procedure
Review your current privacy/security procedures and rework the wording to make them compliant.
In particular, existing procedures need to include specific provisions to cover all the data points in the GDPR regulation
, or be fully rewritten to fully comply.
4) Protect private data
5) Access rights and customer consent
Ensure your customers actually consent to you processing their data, and/or work with a legal firm to guarantee the data is gathered fairly and complies to GDPR guidelines.
6) Data breaches
Implement procedures to handle emergencies and data breaches
, make sure you are able to communicate efficiently with the outside world within 72 hours.
7) Impact assessments
8) Appoint a Data Protection Officer (DPO)
Appointing a DPO is mandatory under the GDPR regulations, make sure you find the right person for the job.