The European General Data Protection Regulation (GDPR) replaces the Data Protection Directive (95/46/EC) and will ensure global protection of the data of citizens of the European Union (EU), wherever they work.
According to Gartner, Inc. more than half the companies affected will not be in compliance with the new rules. They advise organisations to focus on five changes:
1. Determine your role under GDPR
All organisations that process data will be labelled a “data controller” under these rules. This includes businesses outside the EU, which provide goods or services to the EU.
2. Appoint a data protection officer
Those organisations that process large amounts of personal data or are part of the public sector are likely to be required to appoint a Data Protection Officer (DPO).
3. Demonstrate accountability in all processing activities
Organisations must be transparent regarding any decisions affecting the storing and handling of any personal data. Outside parties must also comply with these rules. Organisations will need to ensure that subjects give consent to the storage and acquisition of their data and be able to provide evidence of this consent.
4. Check cross-border data flows
Data transfer within the EU will still be permitted, as will data transfer to countries that the EU has decreed to have “adequate” levels of protection. Outside the EU, organisations responsible for holding personal data on EU residents will need to comply with GDPR.
5. Prepare for data subjects exercising their rights
Under GDPR, EU citizens have the right to be forgotten, to obtain data that organisations have on them (data portability) and to be informed of any data breach. Organisations need to have adequate controls in place to comply with these demands.