EU Directive on Personal Data Protection (GDPR) is legislation about how companies process, handle and store personal information. GDPR extends individuals rights to ensure the privacy and protection of EU citizens data. It requires organisations to demonstrate GDPR compliance and provide transparency of their process. Furthermore, companies that fail to report a data breach within 72 hours could be substantially fined. This article explores 10 GDPR requirements that your organisation needs to follow.
10 GDPR Requirements
1) Lawful and transparent data processing
All data handling procedures and policies must be documented and ready to be provided to authorities. Organisations processing EU individuals data must do it in a lawful and fully transparent manner. Let’s explore this concept a bit more in-depth.
- Lawful means data processing and storage must be supported by a legitimate reason and not carried any further if not needed.
- Transparency requires companies to gain consent from data subjects and inform them about the processing and storage policies related to their data.
Visit also the Information Commissioner’s Office website for more information.
2) Limitation of purpose, data and storage
GDPR compliant companies are expected to minimise personal data to a level necessary to carry out business activities. After processing purpose is completed, personal data must be deleted. Here are some of the requirements for it:
- personal data must not be stored after the lawful use for the data processing is completed
- minimise personal information to what is necessary
- an organisation needs consent from a data subject to process and store their data
3) Data subject rights
One of the 10 GDPR requirements is that data subjects rights have been extended and include a right to ask a company what information they hold about them and require any correction/deletion of that data. Individuals can also object data processing or file a legal complaint about a company.
Where a company intends to process and store personal information it needs explicit permission by the data subject to do so. Once collected, the consent must be documented, and a data subject has the right to withdraw their consent at any given time. Nevertheless, companies need to seek a consent from the guardian/parent of children under the age of 16 to handle their data.
See also: GDPR MADE EASY – 5 THINGS TO KNOW
5) Personal data breaches
Organisations must maintain a Data Breach Register and Procedures. In case of a data breach, regulators and data subjects must be informed within 72 hours.
6) Privacy by Design
Companies should tailor organisational and technical processes to protect personal data in the design of new systems and products. Privacy and protection aspects should be ensured by default, and everyone in the organisation needs to appreciate GDPR ideology.
7) Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You must carry a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. It is also a useful practice to do a DPIA for any other major project which requires the processing of personal data.
See also: GUIDE TO DATA PROTECTION
8) Data transfers
Data controller has the accountability to ensure that data protection is followed by design and GDPR requirements are respected, even if processing is done by a third party. They also have to provide a secure data transfer connection within and outside of the organisation. This means controllers must ensure protection and privacy of personal information even outside the company to a third party provider or entities within the company.
9) Data Protection Officer
Data Protection Officer (DPO) has the responsibility to advise a company about GDPR compliance and requirements. Businesses will have to assign a DPO in one of the three cases:
- Companies with more than 250 employees.
- Companies processing sensitive data like hospitals and law firms.
- Companies processing large volumes of data like e-commerce or social media platforms.
See also: GUIDE TO DATA PROTECTION
10) Awareness and training
Organisations must tailor culture and awareness among employees about GDPR, and conduct regular training and refresher sessions. Employees should remain aware of their responsibilities for the protection of personal data and be able to identify of personal data breaches. Get regularly updated GDPR accredited eLearning now and prepare your organisation today and every day with our one day course.
Get GDPR Ready with Apex
- City & Guilds Accredited eLearning
- Updated content
- Develops Data Safety knowledge
- Instantly available course
- Completed in 60 minutes
- Subject Access Request game
- Interviews with legal experts
- Interactive content
- Certificate for your CV