GDPR (General Data Protection Regulation) is design to secure the personal data of European Union citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. Personal Data includes names, addresses, and bank details, but also data associated to religion, race, mental or physical individuality, and even IP addresses, web cookies, contacts, and mobile device IDs, if they recognize an individual. The GDPR is made up of 99 articles that offer a detailed explanation of the guideline, and since every association is diverse, it is not possible to provide an exact instruction that will assure your organization is in compliance.
If your organization is not in compliance by now, you risk inviting major financial consequence. Comply the GDPR is a huge responsibility, but it’s essential to understand that it is a business project rather than just an IT or IT security project. The IT department can assist to make sure data integrity and protection, but new business progression may require to be put in place to guarantee individuals can access their own data, that privacy is construct into all systems and services, and that all other obligations of the regulation can be fulfilled.
Moving your organization into GDPR compliance is a process you preferably started long ago. There are general guidelines that should be taken to fulfill general GDPR requirements:
- Ensure that employees in your organization value the importance of GDPR and compliance with it.
- Document the whole detail of data that you hold. To do this you may need to organize an information audit.
- Frequently evaluate your current privacy notices and make any essential changes.
- Check your dealings to ensure that you can hold the rights of individuals to be provided with their information in a regularly used format, and that you can delete their data on request.
- Update your procedures so you can handle those requests within the required timescales.
- Identify the legalized basis for your processing activity in the GDPR, document it, and update your privacy notice to clarify it.
- Review how you seek, documentation, and handle consent, and whether you need to make any changes.
- Consider how to confirm individuals’ ages and how you can acquire parental approval for any data processing activity.
- Make sure you have procedures in place to detect, report, and examine a personal data breach.
- Carry out a Data Protection Impact Assessments (DPIA)
- Assign someone to take responsibility for data protection compliance.
- If you operate in more than one European state, determine your lead data protection supervisory authority.