In a few days, the European Union (EU) will begin enforcing the most stringent regulations to date on how EU citizens’ personal data is lawfully collected, processed and stored. The General Data Protection Regulation (GDPR) is a sweeping data protection law that not only affects European businesses but all organizations handling the personal data of EU citizens.
We list up a few items that need to be in place before May 25, 2018.
1. Privacy statement
Organizations that process personal data must, according to the GDPR, inform the persons (data subject) that they are processing their personal data. This usually happens by means of a so-called ‘privacy statement’ a statement from the controller (the party that decides which personal data will be processed, for what purpose and in which way) to the data subject.
2. Data Protection Agreement
When two organizations exchange personal data as part of their business relationship, the GDPR requires you to include certain provisions in a written agreement. Make sure you have Data Protection Agreements with all your suppliers. This is critical for compliance.
3. Purpose is documented
Personal data may only be stored if a purpose has been formulated and permission/ consent has been given by the owner. Make sure the purpose of storing and processing the data is well defined and written down. If personal data is present that is no longer necessary for the initial purpose, the personal data must be deleted or anonymized.
4. Consent is obtained and documented
You must be able to prove that you have obtained consent lawfully. And allow consumers to see what data is collected and what is / will be done with it.
5. Documentation system is ready
One of the most important aspects of the GDPR is that organizations must be able to demonstrate, quickly and easily, that they have taken steps to meet the conditions. Organizations must be able to hand this information and supporting documentation directly to supervisors when requested to do so.