The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). GDPR applies to all business in EU countries that works with customers data of EU citizens. The law also addresses the export of personal data outside the EU and EEA areas, thus making GDPR a global privacy regulation. The GDPR aims primarily to give control to individuals over their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU.
With GDPR in effect from May 25th 2018, many business are unsure of how to uphold compliance with the requirements and protect themselves from heavy fines. Below, we will discuss about few key areas that business can focus on to get started with their GDPR compliance.
1. Rights of Individuals: The GDPR provides enhanced rights to individuals, including general principles companies must follow when interacting with individuals and the specific rights granted to individuals under the GDPR must be identified.
2. Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data by the businesses, a key transparency requirement GDPR requires that the individuals be provided with information such as the purpose of data collection, retention period of this data, with whom it will be shared and more.
3. Right to Erasure (“Right to be Forgotten”): GDPR makes it clear that individuals have the right to get their personal data erased. Individuals can make a request either in writing or verbally and businesses have one month to respond. This right is not absolute and only applies in certain circumstances.
4. Data Protection Officer (DPO): The data protection officer is a mandatory role under Article 37 for all companies that collect or process EU citizens’ personal data. DPOs are responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities (SAs) that oversee activities related to data.
5. Obligations on data processors: Under the GDPR, data processors have the responsibility of implementing appropriate technical and organizational measures for the security of personal data during its processing activities. They are also legally responsible to demonstrate compliance beyond any contract terms.
6. Data Protection Impact Assessment: A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. DPIA should be done to access the level of risk to individual’s personal data.
Interested in becoming GDPR Compliant? Industry certified professionals at EHR 2.0 can help maintain your business posture. Contact us at 866-276-8309 or firstname.lastname@example.org with any questions or to request a quote.
Latest posts by EHR 2.0 (see all)
- New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA - June 5, 2019
- California Consumer Privacy Act of 2018 – Bill Text - April 4, 2019
- HIPAA Compliance Review Program Launch - March 26, 2019