Once your organization decides to become GDPR compliant, that is when fun starts, because it is your job to determine exactly what needs to be done to ensure compliance. Becoming GDPR compliant is not as hard as some news reports make it out to be. Those organizations that already follow existing data security standards, such as PCI DSS, ISO 27001, NIST, these new regulations should not be a burden. Below is a list of the top eight must-knows about GDPR and how it will impact your organization if you chose to be compliant to the new standard.
1. Data Security – Under the GDPR, organizations are required to implement the “appropriate level of security” for the personal data they process, including protection against loss, destruction, damage, or unauthorized access. If your organization is currently following security standards such as PCI DSS, ISO 27001, NIST, this should be an easy requirement.
2. Privacy Program – Key is to have a strong Privacy Program that is enforced.
- Does your organization have documented and enforced privacy and security policies and procedures to provide choices, where appropriate, to data subjects regarding use of their personal data?
- Does your organization obtain consent before using processing information for specific purposes?
- If your organization collects information from children younger than 16 years of age, have you created and documented policies and implemented processes to collect parental consent?
3. Consent – GDPR requires the consent before that person’s personal information can be processed.
- Consent must be “freely given, specific, informed, and unambiguous,” which means that any consent forms must be written in plain language and easily accessible.
- Any consent form that contains legalese or illegible terms and conditions will likely not meet this requirement. In addition to this, the consent form must be easy to find.
- If you have a checkbox on your consent form, it must not be “pre-checked.”
- A person must be allowed to withdraw consent at any time.
- If the organization sets up the consent program correctly, then this can be an easy one.
4. Only collect what you need and no more. Be clear about what you will collect and how it will be used.
5. Applies to information collected from any consumer who is in an EU country when the data is collected. So, watch for the EU IP addresses.
6. Be prepared to delete a consumer’s data if they request it.
7. 72 Hour Breach Reporting
8. Higher fines – Up to 4% of annual income.