GDPR Compliance – General Data Protection Regulation
The most important change in data privacy regulation in 20 years
General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data”.
GDPR requires organizations to maintain appropriate security of personal data, and failure to comply with the GDPR could result in significant penalties.
TechQuarters can help organisations to implement the right processes and technology to conform to the regulations.
What is it?
General Data Protection Regulation (GDPR) is a comprehensive new privacy law that gives residents of the European Union (EU) greater control over their “personal data” (which is precisely defined by the GDPR) and requires organizations to maintain appropriate security of personal data according to strict new guidelines.
The regulation requirements cover individuals who are resident in each member state of the European Union. The UK Government has also stated it will continue to conform to the GDPR requirements after Brexit.
The regulation is essentially aimed at providing better protection of consumer and personal data across EU nations. There are key privacy and data protection requirements of the GDPR, some of which relate to:
- Requiring the consent of subjects for data processing
- Providing data breach notifications to the authorities, in the UK’s case the ICO (presently set at 72 hours from a breach)
- Providing data breach notification to the data subjects as quickly as possible
- Safely handling the transfer of data across borders
- Providing the subject with various rights such as:
- ‘The right to be erased’ (deleting their data on the controllers’ systems and returning it to them in the right format)
- ‘The right to portability’ (transfer of data between service providers)
- Requirements for companies to provide data protection impact assessments to identify the risks
- Some companies must appoint data protection officers, specifically when processing subject data revealing genetic health, racial or ethnic origin, religious beliefs, etc.
GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of that personal data.
Failure to comply with the GDPR could result in significant penalties.
What you need to know
How much can companies be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements.
When will the GDPR come into effect?
The European Parliament approved and adopted the GDPR in April 2016 and enforcement will begin May 25, 2018.
GDPR is also Multinational
When it comes to GDPR compliance, it’s not just European organizations affected, those outside of the EU who process data in connection with the offering of goods and services to, or monitoring the behavior of, EU residents.
There is help at hand
TechQuarters provides GDPR consultancy, advice and managed services that help organisations implement the right processes and technology to conform to the new General Data Protection Regulations.
How does our service work?
TechQuarters performs the work using a phased approach.
Initially we will implement software on your network devices and end points. This will be used to audit all Personal Identifiable Information (PII) on these locations. It will then produce a report on the amount of PII, where is it stored, excluding what can be described as trivial inconsequential data, and produce a report, so the data can be actioned.
The next stage is to decide what to do with the data, either leave it in situ or move it to a centralized location. Typically, the data is then meta-tagged and indexed for future search purposes. This would then be surfaced into a SharePoint storage bucket or Azure storage.
Most organisations need some help and guidance both on initial compliance and then the processes that need to be implemented internally to ensure on-going compliance. It is common for HR or Operations within an organisation to be allocated the internal task of monitoring business processes for the conformity to the regulation. Generally, they need to be trained on the compliance requirements, so they can monitor processes and take necessary actions internally when new data surfaces.
We typically introduce a GDPR consultant to a client who will work with and train your internal person on the business processes and technology solutions that need to be implemented, to protect and secure your organization both now and in the future.
Our Phased Approach is broken down into these sections
Phase 1 – Discover
- Implement software to identify all personal identifiable information (PII)
- Report on internal devices and end point data
Phase 2 – Manage
- Assign a GDPR compliance consultant to your organization
- Help you identify processes/documentation that need to be implemented
- Train your internal resource on future compliance needs
Phase 3 – Protect
- Assign a GDPR technology consultant to implement security standards
- Create a repository for data housing of PII information
- Implement threat management and protection solutions
- Create alerts for new PII information that surfaces on the network
Phase 4 – Report
- Produce the reports that are needed on-going to identify PII
- Produce reports needed for irregular activity on the network