MINORITY & VETERAN OWNED

MINORITY & VETERAN OWNED

GDPR

The General Data Protection Regulation (GDPR) is a European law concerned with keeping personal data safe by requiring companies to have formidable processes in place for handling and storing personal data.  Though it is European law, many US. organizations must comply with its requirements in order to do business with European stakeholders. Even if your physical location and all of your employees are in the US, if you handle any European data at all, you’ll need to comply with GDPR.

In 2018, GDPR replaced earlier data protection laws, and with the new law came increased fines.  Small infractions can result in fines of up to €10 million or 2% of an organization’s revenue.  Bigger infractions can lead to fines of up to €20 million or 4% of revenue.  

When data breaches do occur, GDPR regulators inspect a company’s data security environment, and if it is deemed weak or incomplete, fines increase exponentially.  TMPC can make sure your security strategies, policies and procedures meet GDPR requirements to both stave off breaches and to minimize consequences if a hacker manages to break through.

FREQUENTLY ASKED QUESTIONS

HOW DO I COMPLY WITH GDPR?

To comply, organizations must implement technical and operational safeguards to ensure the security of personal data that they control, access, transmit, store, or produce.  In addition, GDPR calls for strict privacy principles, including obtaining consent and ensuring that data is portable and accessible to its respective individuals.

HOW DO I DEMONSTRAtE GDPR COMPLIANCE?

In addition to actually being GDPR-compliant, businesses must also be able to efficiently demonstrate that compliance.  In some cases, data protection impact assessments (DPAI) may be compulsory, and in others data managers can show clear policies and procedures and approved third-party certifications to show due diligence.

GDPR is a risk-based approach, and the strategy should be commensurate with the level of risk of the data processing activities.  If a company is processing a small amount of data that is not highly sensitive, for example, that data is not likely to be targeted.  If, however, that small amount of data is highly personal, like health information, more stringent measures are called for under the law.

What rights do individuals have under gdpr?

Individuals have the right to access their personal data, and you must provide a copy of the personal data, delineating how you’ve used the data, including purpose, categories of personal data, and recipients of that data.  One copy must be provided free of charge, while you may assess a reasonable fee  for additional copies.

Further, individuals have the right to transfer their data to another organization.  This portability is a hallmark of GDPR and is not negotiable.  

In addition, people can request that you delete their data, and you must do so unless there is a legal obligation to keep it.  In fact, GDPR has a “right to be forgotten” clause wherein organizations that collect data are obligated to take reasonable measures to inform other websites where that data may have appeared so that those organizations can also erase it.

WHAT ARE GDPR’S DATA BREACH RULES?

Because hackers are determined and innovative, breaches can occur even when an organization is compliant.  When this happens, the law requires immediate notification.  Organizations must inform their Data Protection Authority (DPA) right away and no more than 72 hours after the breach. And, if the breach poses high risk to individuals, they must also be notified as quickly as possible.  

TMPC GDPR CHECKLIST

    IDENTIFY YOUR DATA PROTECTION AUTHORITY

GDPR requires that you notify your DPA immediately after a breach.  The DPA you report to is determined by which country’s data you have processed or stored.   Here, find a list of E.U. DPAs, by county.

    APPOINT A DATA PROTECTION OFFICER (DPO)

Identify a high-level management employee to become your organizations GDPR expert. This person will offer training and exercise checks on procedures and technical operations to ensure compliance. The DPO can be the point person for a third-party expert. TMPC, for instance, can manage the entire process but make sure the DPO is informed and has effective training and assessment materials.

    POLICY REVIEW / ASSESSMENT

Conduct a thorough assessment of your data protection policies, ensuring security and the lawfulness and transparency of your data processing. Identify vulnerabilities. Having a clear picture of your data environment is paramount. If you’re processing highly sensitive data, conduct a Data Protection Impact Assessment (DPIA). TMPC can help you determine the level of assessment your organization needs and carry out the assessment itself.

    STRENGTHEN SECURITY

With a clear picture of your security environment, you’ll be able to see current vulnerabilities so you can address them.  Should a breach occur, GDPR regulators will find these unaddressed weaknesses, resulting in much higher fines. TMPC can provide effective solutions.

     ENSURE PRIVACY RIGHTS

Always gain consent from individuals and respond to queries and data requests promptly. TMPC can help determine policies and procedures that ensure that team members know what is expected of them and when.  

     DOCUMENT GDPR COMPLIANCE

Under GDPR, compliance isn’t enough.  You also need to be able to demonstrate compliance through thorough documentation of all policies and procedures, trainings, mitigation efforts, and reporting timelines.  TMPC can take care of this for you.

     REPORT DATA BREACHES PROMPTLY

Some organizations may wish to delay notification of data breaches, hoping they can solve them before having to disclose them.  GDPR frowns heavily upon this, and sitting on breach information is a serious violation of the law.