KnowledgeLeader Blog

What You Need to Know About Compliance of GDPR

Posted by Protiviti KnowledgeLeader on Thu, Apr 04, 2019 @ 06:04 PM

""Are You Familiar with GDPR?

The General Data Protection Regulation (GDPR) became effective May 25, 2018, and introduced strict rules for the protection of the personal data of EU citizens. GDPR expanded the scope of previous EU regulations to include any data processor or data controller that processes the personal data of EU residents. Under this law, U.S. companies have to employ data transfer mechanisms (such as Privacy Shield) if they want to continue doing business – even online – with EU data subjects.

Companies are experiencing these changes throughout their functional areas, but particularly in their legal, IT security, business, sales, data collection and marketing departments. There are no exceptions: GDPR applies to companies of all sizes, regardless of whether data is kept in-house or in the cloud. GDPR applies to existing customer data, not just new customers.

It is hard to overestimate the impact of GDPR, which has the potential to do for data privacy what Sarbanes-Oxley did for financial regulation. This is not a matter of updating a few policies. It will require changes to applications as well as changes to contracts and third-party relationships.

Internal audit plays a pivotal role in assessing the compliance posture of an organization, testing the compliance framework and the timely reporting of data breaches, challenging management assumptions, and making sure the organization is truly compliant. Data protection, specifically related to GPDR, might well be a focus point for all integrated audits that are conducted.

Key requirements of the regulation include:

  • Breach Notification: Companies must report privacy breaches to the regulator, and potentially to the data subject, within 72 hours.
  • Privacy by Design and by Default: When introducing new technology, firms must minimize the collection of personal data and ensure that the right security controls are in place throughout all development phases.
  • Data Subject’s Rights: New rights include the right to erasure (“right to be forgotten”) and the right to data portability.
  • Consent: Firms must obtain unambiguous (i.e., explicit) consent.
  • Data Protection Officer (DPO): A DPO is required for organizations that conduct regular and systematic monitoring of data subjects on a large scale or process special categories of data on a large scale (e.g., healthcare organizations).

Ask these key questions to start the planning process for GDPR compliance:

  • What’s the basis for processing?
  • What about the data transfer?
  • With whom are you sharing the information?
  • Are there any special considerations?

To learn more about GDPR, read and download Protiviti’s GDPR FAQ Guide. Here are a few articles we have compiled related to GDPR:

GDPR: Legitimate Interest vs. Consent

How Is GDPR Enforced? Who Resolves Disputes? This Detailed Podcast Offers Answers

Knowledge Is Power: What Higher Education Institutions Must Know About GDPR Compliance Risk

Topics: Data, analytics, business intelligence, KL Tools

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all