The new GDPR requirements state what companies need to do, but it’s up to the companies to figure out how to comply.
So the What is :
- Right to Access
- The right for data subjects to obtain from a company confirmation as to whether or not personal data on them is being processed, where and for what purpose. The organisation must provide a copy of their personal data in an electronic format, free of charge.
- Breach Notification
- Companies must notify the Supervisory Authority of any data breaches without undue delay.
- Customers must be notified of a data breach that’s likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of being aware of the breach.
- Right to be Forgotten (Right to Erasure)
- Individuals have the right to require a company to delete their personal data if the continued processing of data is not justified (especially where the data are inaccurate or incomplete).
- Data Portability
- Individuals have the right to require companies to transmit their personal data to another company.
- Privacy by Design
- Data protection must be included in the design of systems from the beginning – not added later. The GDPR states “The controller shall implement appropriate technical and organizational measures. In an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects.”
- Companies can only hold and process the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
- GDPR requires “a statement or clear affirmative action” that signals agreement of transferring personal data.
- Requires parental consent for processing children’s (13-16 years of age depending on member state) personal data
- Data Protection Officers
- The hiring of a Data Protection Officer is required for organizations (EU and foreign) whose core activates consist of processing operations which require regular and systematic monitoring of EU individuals on a large scale or of a special category of data relating to criminal convictions and offenses.
- The DPO is responsible to ensure, in an independent manner, the internal application of the regulations. They are also required to keep a record of all processing operations involving personal data carried out by the institution
For the How, this is where data governance comes into play.