GDPR Requirements and How They Affect Your Company

The enforcement deadline has come and gone, but there are many organizations around the world that are still grappling with the GDPR requirements for compliance. Consider a recent survey by Crowd Research Partners, which revealed that 60% of businesses would not make the May 2018 compliance deadline. The reasons? Lack of budget and staff with the knowledge necessary to make the changes required to meet GDPR mandates. This is going to cause most organizations increased angst over the year ahead, as they rush to change the way they collect, handle, and store personal data.

What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) is a sweeping change to consumer data protection and privacy. The essence of GDPR isn’t complicated: to help enhance EU citizens’ ability to control what data companies may hold about them.

The goal of GDPR is to standardize data protection requirements for all 28-member states of the European Union. The rules apply to any organization that controls, processes or holds personal data on EU natural persons. The EU defines personal data as “any information related to an identified or identifiable natural person.” This could include names, IDs, email addresses, photos, hobbies, religion, and sexual orientation; even indirect identifiers are also protected, such as location data and IP addresses.

To comply with GDPR requirements, organizational and technical controls need to be put into place that will ensure that data is not compromised. This will require — among other controls — data protection impact assessments, data protection by design, and having a data protection officer in place.

A number of key data security and privacy requirements drive GDPR. To be compliant, companies must:

  • Reasonably secure citizen data
  • Anonymize collected citizen data to protect privacy
  • Ensure the safety of data when transferring across borders
  • Obtain consent to collect citizen data

Summary of GDPR Requirements

Additionally, the GDPR defines explicit rights for data subjects that companies must abide by in order to maintain their compliance:

Data Subject Rights What It Means
Breach Notification
  • Breach notification is mandatory in all member states (there are caveats)
  • Notification must occur within 72 hours of first becoming aware that there was a breach
  • Companies that process data will also be required to notify their customers as soon as they are aware of the breach
Right to Access
  • EU citizens can ask companies if their personal data is being processed, where, and why
  • Companies must provide a copy of the data being collected in electronic format upon request
Right to Be Forgotten
  • EU citizens can ask companies to stop collecting/disseminating his/her personal data, ask them to erase that data, and hire a third party to prevent their data from being further processed
  • Data can be erased if it is no longer needed for its original purpose, or if consent is withdrawn
Data Portability
  • Controllers must enable EU citizens to bring a machine-readable copy of their personal data from one company to another company or provider
Privacy by Design
  • Companies must build data protection into their technology and operations at the outset, including via encryption and pseudoanonymization
  • Companies also must minimize the data they collect to only that necessary to run their business and deliver services
Data Protection Officers
  • Companies whose core activities include data processing will need to appoint a Data Protection Officer whose sole focus is data protection
  • Those companies must also adopt regular and systematic monitoring of data subjects

The enforcement of the General Data Protection Regulation in the EU has far-reaching consequences for companies of all sizes and across all geographies. The implications for companies tasked with achieving compliance for their private cloud have a weighty responsibility. Regulators can levy fines of up to 4 percent of global revenue against an organization found to be out of compliance with key GDPR requirements.

More information can be found at at this website: