Descending the mountain: Staying vigilant with data privacy regulations
- Posted on May 3, 2018
- Estimated reading time 3 minutes
Preparation for GDPR is an extensive process, ideally carried out by a team of security, data privacy and legal practitioners. Consulting firms like Avanade are available to assess an organization’s readiness for the new rules and requirements under GDPR. You may wish to read the various posts on GDPR preparation, published on our Avanade Insights blog.
No matter where your organization is located – within the EU or not – it must comply with the GDPR if it collects, processes, shares or stores personal data that identifies “EU data subjects.” This includes both personal data, such as names, physical addresses, age, gender, phone numbers, email addresses, etc. of any citizen or resident, as well as any “special category of personal data,” including racial or ethnic origin, biometrics data, disability, sexual orientation, genetic information, etc.
To remain compliant is very similar to the initial setup of a GDPR program:
- Data inventory: This includes up-to-date documentation of all systems and processes that are impacted by GDPR, such as any personal data from EU data subjects that the enterprise currently has, where it is located, and with whom it might be shared or processed.
- Prepare for a potential data breach: When a breach is likely to result in a risk to the rights and freedoms of natural persons, organizations, as data controllers, are required to report a data breach no later than 72 hours after becoming aware of it or be prepared to provide the reasons for any delay.
- Training: Ensure that you provide training of all new employees during onboarding on the key components of a data privacy program and make sure they understand their role in the program.
- Make sure all EU data subjects understand their “absolute rights” over their personal data: That includes their understanding of how you will use the data – and their consent to those uses. Depending on the lawful basis of processing the data at issue, it may include their ability to change their mind about what they will and won’t allow, have their data returned to them upon request, and insist that their data be deleted from all systems and databases under the “right to erasure” (also known as the “right to be forgotten”) regulations. Simply stated, dependent on the lawful basis of processing, data subjects located in the European Union – anyone residing in the EU, not just EU citizens – can request that their personal information be removed from corporate databases in a timely fashion or know the reason why it can't. That said, it is important to note that according to the Office of the European Data Protection Supervisor, privacy and data protection are not absolute rights in the EU and may need to be balanced against legal obligations, contract, the corporation’s legitimate interests, and against other vital interests, such as national security.