Why Are Most Organizations Still Non-Compliant?
The deadline for compliance with General Data Protection Regulation (GDPR) has come and gone, and your organization is fully compliant. Right?
The truth is, many companies are still non-compliant with GDPR regulations due to a variety of reasons including misinformation, avoidance, or just not having the time and resources to dedicate to understanding the regulation. In this handy GDPR Guide for Organizations, we’ll walk you through the intricacies of this new regulation.
Individual Rights Under GDPR
The basis of GDPR is that individuals have a several fundamental rights when it comes to their data, but who is actually in scope for GDPR? The regulation defines those who are protected as a living human being, residing within the EU.
If your organization processes (collects, stores, or utilizes) data that can identify a resident of the EU, you are in scope.
A recurring theme within GDPR is consent. When collecting any data on a data subject, you must ensure that you are receiving clear and explicit consent, allowing the data subject to revoke this consent at any time. Other rights that data subjects have under GDPR include:
Right to Access: Request and view information
Right to Object: Object at any type to processing of personal data
Right to Restrict: Process data only with express consent
Right of Notifications: Communicate changes in data processing to subject
Right to Decision Making: Not be subjected to automatic profiling/processing
Right to Data Portability: Obtain and move data between controllers without limitation
Right of Rectification: Object and correct data processing
Right to be Forgotten: Request erasure from controller and processor
But how does GDPR and consumer rights actually affect your organization? The burden of proof and responsibility is on your shoulders.
You must be able to prove consent, notify promptly (within 72 hours) of a data breach, address any complaints within one month, and provide reasonable and clear safeguards for retention and transmission of data.
Additionally, there are new specialist roles within your organization to fill. A representative will be required if your organization does not have a physical presence within the EU. They will work in tandem with your organization, but are not liable for legal actions taken against it.
A Data Protection Officer is also required to perform functions that are a part of the GDPR regulation. The Data Protection Officer performs seven important functions:
- Conducts Audits
- Monitors and provides KPI on protection efforts to leadership
- Educates employees on proper compliance
- Trains staff on GDPR procedures
- Acts as the point of contact between the organization and GDPR Supervisory Authorities
- Establishes retention records and oversees the management of those procedures
- Acts as Privacy Representative for data subjects and supervisory authority
In addition to new roles, there are new assessments that your organization will need to conduct internally: a Data Protection Impact Assessment and a Legitimate Interest Assessment.
The goal and focus of both assessments is to determine a true need and value for the proposed or current use of data, and to demonstrate that the proper controls and safeguards are in place to protect the data of citizens. These assessments will also act as a paper trail in the event your organization is audited.
Confused by The General Data Protection Regulation (GDPR)? VerSprite demystifies GDPR’s fundamental principles, breaking it down into the basics you need to understand GDPR compliance. Watch webinar replay →
Wherever you are in the maturity model of your security program, VerSprite can tailor the following range of GRC services to fit both your near terms goals and capabilities, while still ensuring that a future vision of an optimized model is obtained. Click here to explore VerSprite’s Governance, Risk and Compliance (GRC) Offerings →