The EU GDPR regulation, which will be enforced on 25 May 2018, revolutionizes the data privacy landscape. GPDR gives individuals greater control and transparency over their personal data and raises the bar for businesses to achieve lawful processing of personal information.
Achieving compliance will require more than technical solutions, as it will be necessary for business to strategically shift their data focus to recognize individual rights and to be able to proof they comply and how they do it.
The GDPR specifies the roles, processes and technologies organizations must have in place to ensure the personal data of EU residents is secure, accessible, is used appropriately and with consent. Its articles and principles set out a number of obligations you may need to address, including:
Collect and keep as little personal data as possible. Each data must be justified to use case and must be delete once use case has ended.
Manage consent : explicit, clear and unambiguous consent on use case must be obtained and proof of consent retained.
Right of access, to rectification, to erasure
Manage Data subject rights : provide request means, inform, keep track records.
Data transfer and portability
Individuals are able to request copies of personal data being processed in a format usable by the person, and so they are able to transmit electronically to another processing system.
Data breach & right to know
Data breaches need to be reported within 72 hours and a notification to the affected individuals sent ‘without undue delay’.
Data protection by design
Protection for personal data against misuse at every stage of its lifecycle must exist by design.
Includes : backup, archives, accountability, location, role, procedures...