EU’s General Data Protection Regulation (GDPR) is a game changer in data protection and privacy laws. The EU has realized that while technology has evolved drastically in the last few decades, privacy laws have not. In 2016, EU regulatory bodies decided to update the current Data Protection Directive to suit the changing times. This law creates a comprehensive list of regulations that govern the process of EU residents’ personal data.
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
This law doesn’t have territorial boundaries. It doesn’t matter where your organization is from – if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
If you are just getting started with GDPR compliance in your organization, here’s a quick to-do list to keep in mind.
- Create a data privacy team to oversee GDPR activities and raise awareness
- Review current security and privacy processes in place & where applicable, revise your contracts with third parties & customers to meet the requirements of the GDPR
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyze how this information is being processed, stored, retained and deleted
- Assess the third parties with whom you disclose data
- Establish procedures to respond to data subjects when they exercise their rights
- Establish & conduct Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance to the GDPR