GDPR – Determining GDPR Compliance
Once your organization decides to become GDPR compliant, that is when fun starts – wading through the blogs, white papers, news coverage, conflicting information, etc. to determine exactly what needs to be done to ensure compliance. This probably seems like a lot of extra work but, becoming GDPR compliant is not as hard as some news reports make it out to be. For those organizations that already follow existing data security standards, such as PCI DSS, ISO 27001, NIST, these new regulations should not be a burden. GDPR has a series of requirements that your organization must meet to be compliant. The focus of this blog series will be to review these requirements step by step so, that you can determine your organization’s GDPR preparedness.
Choice and Consent
In the first portion of the GDPR, an organization must have an established set of privacy policies and procedures that obtain and document consent prior to processing personal data. This section asks such questions as:
- Does your organization have documented and enforced privacy and security policies and procedures to provide choices, where appropriate, to data subjects regarding use of their personal data?
- Does your organization obtain consent before using processing information for specific purposes?
- If your organization collects information from children younger than 16 years of age, have you created and documented policies and implemented processes to collect parental consent?
GDPR requires the consent before that person’s personal information can be processed. Consent must be “freely given, specific, informed, and unambiguous,” which means that any consent forms must be written in plain language and easily accessible. Any consent form that contains legalese or illegible terms and conditions will likely not meet this requirement. In addition to this, the consent form must be easy to find. If you have a check box on your consent form, it must not be “pre-checked.” Next, a person must be allowed to withdraw consent at any time. There are additional consent requirements when the person is a child under the age of 16 as you need to collect parental consent as well.
Next, a business must, at the time of, or prior to, the processing of personal data, provide a detailed list of all the personal data that will be processed, the business’s contact information, the purposes for which the personal data will be collected, whether the business intends to transfer the personal data to another party, and any other information related to the individual’s rights regarding the personal data and how those rights can be exercised.
Records of Consent
Your organization will also need to develop means to document all records of consent. This includes developing a way to search all consent records to find specific records of consent for individuals upon request – at times the request may come from the data subjects themselves or from appropriate authorities.
The GDPR also provides several fundamental rights that belong to all persons whose personal data is processed.
These include the right to:
- Access the personal data, called the “Right to Access”,
- Request the deletion of personal data (called the “Right to be Forgotten”), and
- Receive personal data concerning the data subject and
- Transmit that data (called “Data Portability”).
No matter how your organization implements the GDPR, it should design its privacy programs with these rights in mind so that you are able to meet these requests when they come up.
Personal Data Security
Under the GDPR, organizations are required to implement the “appropriate level of security” for the personal data they process, including protection against loss, destruction, damage, or unauthorized access. If your organization is currently following security standards such as PCI DSS, ISO 27001, NIST, this should be an easy requirement.
What Does this Mean to Your Company?
How the GDPR applies to US companies collecting, using, or maintaining personal data can be complicated – particularly regarding those who collect data pertaining to individuals located both in and out of the EU. By reviewing the requirements and developing processes to meet them, your organization can become GDPR compliant. At Intrinium, we have been advising our clients to review their privacy policies and business needs to ensure that they are prepared to meet the requirements of the GDPR.