You’ve heard a lot about GDPR but do you know what effect it will have on your data practices?
What is GDPR?
General Data Protection Regulation (GDPR) was instituted to strengthen and protect the privacy rights of individuals. It establishes strict imperatives governing how organizations manage and protect personal data while respecting individual choice. The Regulation has already been passed in the European Union (EU) and its member nations, but it also applies to any organization doing business with EU nations, regardless of where they are located
Key elements of the GDPR
Individual privacy rights -
GDPR provides enhanced data protection for individuals within the EU by allowing them to access their data and edit it to correct inaccuracies or remove personal information. It will also allow them a say in how their personal data is processed or shared.
Increased accountability –
Public and private companies and organizations that process personal data will be provided with clear instructions about their responsibilities and will be accountable for compliance.
Data breach reporting –
Companies are required to report personal data breaches to supervising authorities as soon as possible.
Penalty for non-compliance –
Stiff penalties will be levied for non-compliance. These penalties may include sanctions and substantial fines that will be demanded whether the non-compliance was intentional or inadvertent.
Key GDPR compliance roles and definitions:
There are specific roles defined by the GDPR that are important to keep in mind as you look at your compliance efforts.
Data Subject –
An individual whose personal data is collected by your organization
The persons in your organization who control business applications, processors, processes, and procedures that collect or use the data.
Others in your organization who will have access to personal information.
In addition to understanding the above roles, you will need to differentiate between personal and sensitive data and how each type is created, processed, managed, and stored.
Personal data includes information related to a data subject. Direct data could be the subject’s name, address, or company relationship; indirect data connects another individual to the data subject.
Sensitive data such as name, identification number, location information, and an online identifier (such as email address or device ID) are afforded enhanced protection and require an individual’s explicit consent for use.
Beginning the journey to GDPR compliance
No doubt you can already see that GDPR will have a significant effect on how you do business. We recommended that you begin your journey to GDPR compliance by focusing on four key steps:
1. Identify the kind and amount of personal data you have and where it is stored
2. Determine how the data is accessed and used.
3. Institute security controls to prevent, detect, and respond to vulnerabilities and data breaches.
4. Document and report data breaches.
Focusing on the above should reveal any changes necessary such as reexamining personal privacy policies, instituting or fortifying data protection controls and procedures for data-breach reporting, implementing highly transparent policies, designing new SOP, and investing in any necessary IT and training.
The following posts in this series will discuss the approaches, recommended practices, and techniques involved in the above steps, and how Microsoft Dynamics GP can support your GDPR compliance. Keep up with BroadPoint's GDPR series for Microsoft users—