Are You Familiar with GDPR?
The General Data Protection Regulation (GDPR) became effective May 25, 2018, and introduced strict rules for the protection of the personal data of EU citizens. GDPR expanded the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. Under this law, U.S. companies have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business – even online – with EU data subjects.
Companies are experiencing these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.
It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. It will require changes to applications as well as changes to contracts and third-party relationships.
Internal audit plays a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions, and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.
Key requirements of the regulation include:
- Breach Notification: Companies must report privacy breaches to the regulator, and potentially to the data subject, within 72 hours.
- Privacy by Design and by Default: When introducing new technology, firms must minimize the collection of personal data and ensure that the right security controls are in place throughout all development phases.
- Data Subject’s Rights: New rights include the right to erasure (“right to be forgotten”) and the right to data portability.
- Consent: Firms must obtain unambiguous (i.e., explicit) consent.
- Data Protection Officer (DPO): A DPO is required for organizations that conduct regular and systematic monitoring of data subjects on a large scale or process special categories of data on a large scale (e.g., healthcare organizations).
Ask these key questions to start the planning process for GDPR compliance:
- What’s the basis for processing?
- What about the data transfer?
- With whom are you sharing the information?
- Are there any special considerations?
To learn more about GDPR, read and download Protiviti’s GDPR FAQ Guide. Here are a few articles we have compiled related to GDPR:GDPR: Legitimate Interest vs. Consent