The primary objectives of the GDPR are to give citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the European Union.
GDPR is designed to give individuals better control over their own personal data and establish a single set of rules across Europe.
Organizations outside the EU are subject to this regulation when they collect data for any EU citizen.
Personal data is defined as any information relating to an identified or identifiable person. This includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the person. This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific person. There is no distinction between personal data about an individual in their private, public, or work roles – all are covered by this regulation.
Companies will be required to “implement appropriate technical and organizational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data.
Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree
of risk associated with the data held and might include:
• Pseudonymisation and/or encryption of personal data.
• Ensure the ongoing confidentiality, integrity, availability and resilience of systems.
• Restoring the availability and access to data in a timely manner following a physical or technical incident.
• Introducing a process for regularly testing, assessing, and evaluating the effectiveness of the system or systems.
An important element of the regulation requires consent to be given by the individual or person whose data is held.
Organizations will need to be able to show how and when consent was obtained.
Individuals must be able to withdraw consent at any time and have a right to be forgotten, if that data is no longer required for the reasons for which it was
collected, and it must be erased.
Companies must report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
In the event of a personal data breach, companies must notify the appropriate supervisory authority “without delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights
and freedoms of individuals”.
Vanguard offers a comprehensive approach to prepare for GDPR compliance, our advanced Audit and Compliance solutions provide comprehensive assessment to full-scale remediation. Contact Vanguard for more detail.