Shopping Cart

Have You Planned For GDPR?


Have you started planning for GDPR? It is coming sooner than you think. Our IT Support services include all the necessary security updates, threat detection and response and encryption procedures so that you don’t have to worry about it!

What is GDPR?

GDPR, the General Data Protection Regulation is an EU regulation that aims to harmonise the data protection regulations and strengthen data protection for all individuals in the European Union.

After four years of preparation and discussion, the GDPR was approved by the European Parliament on April 14th 2016 and will apply from May 25th 2018. GDPR replaces the earlier data protection directive that was implemented in national level in 1995. GDPR, instead will begin to apply to all Member States at the same time. GDPR applies to almost all companies operating in the EU and the regulation applies also to organisations outside the European Union, if they collect or process personal data of EU residents.

What constitutes as personal data?

Personal data is defined as any information related to a natural person or “Data subject” that can be used to identify the person, directly or indirectly. Data breaches which may pose a risk to individuals must be notified to affected individuals without undue delay and to the data protection authorities within 72 hours. In case of a data breach, organisations can be fined up to 4 percent of annual global turnover or 20 million euro, depending on which one is higher. Individuals can find out whether or not their personal data is being processed, where and for what purpose. A copy of the personal data shall be provided free of charge, when asked for. The data subject is also entitled to have his or her personal data erased by the data controller – under certain conditions. What’s more, public authorities as well as organisations that engage in large-scale systemic monitoring or processing of sensitive personal data must appoint a Data Protection Officer.

Getting ready for GDPR

Are you ready to get started in evaluating and implementing measures to ensure GDPR compliance? Leverage our checklist below to get closer to the GDPR finish line today:

Identify the personal data fields that you are collecting from natural EU citizens

  • What personal data is collected and/or processed?
  • Where is it stored or transmitted?
  • For how long?
  • What retention policies or processes apply to this data?
  • Can this be reduced?
  • Is it under your control or that of a contractor?
  • Does this data remain in the EU at all times?

Characterize the consent information and processes that exist when collecting this data

  • Are data subjects asked in clear language for
  • explicit consent to collect and process their data?
  • Is consent granted at the time of collection?
  • Does the consent communication identify and provide contact information for the controller, processor and Data Protection Officer (DPO) where appropriate?
  • Does it describe the purpose of processing, security of processing, and legal basis?
  • Does it provide the period for which the data will be stored?

Characterize the consent information and processes that exist when collecting this data

  • Does it name the recipients or category of recipients of the data?
  • Does it explain the data subjects’ right to access, rectify, request erasure or make portable their data, as well as their right to complain to a supervisory authority?
  • Does it state the intent to transfer the data outside of the EU?
  • Does it stipulate whether data collection is mandatory or optional, as well as the consequences of not providing said data?
  • Is it just as easy to withdraw consent as provide consent?

Characterize the ability to communicate with data subjects.

  • How do data subjects access, rectify, have erased, and extract their data for transfer?
  • How do data subjects withdraw consent?
  • How does the organization contact data subjects to report a breach?

Determine if current record-keeping measures and data processing policies are adequate.

  • Is there a record of data subject response to consent?
  • Is there a record or log of data processing events involving personal data?
  • Are these records secure and allow for queries, searches or reports by authorized personnel?
  • Are policies kept current that describe how data processing is performed in compliance with the Regulation?
  • If a controller is outside the EU, is there a designated representative within the EU, and is this documented?
  • If data processing services are contracted, does the legal agreement include the necessary clauses to ensure proper security and handling of personal data so as to be in compliance
  • with GDPR?
  • Is there sufficient access control to servers and buildings to prevent unauthorized individuals from accessing personal data?

Determine if data security practices and technology are adequate to meet GDPR requirements.

  • Are appropriate technical and organizational measures taken to ensure that data is protected from accidental or unlawful destruction, loss, or alteration and unauthorized or unlawful storage, processing, access or disclosure?
  • Does the security policy address the following:
    • How to protect data during storage and transmission
    • How to restore access to data when an incident disrupts availability
    • How to ensure situational awareness of risks and enable preventative, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to data
    • Describe the process for regularly assessing the effectiveness of security policies
  • Is there a process for providing breach notifications within 72 hours?
  • Is there a record of a Data Protection Impact Assessment (DPIA) assessing whether processing operations are likely to present specific risks?
  • Was it completed within the last two years, or immediately when there was a change to specific risks in processing operations?
  • Is there a designated DPO?

Leave a comment

Your email address will not be published.