GDPR (General Data Protection Regulation) is a regulation by the in the European Union (EU) and the European Economic Area (EEA) on data-privacy. It is enforceable from 25 May 2018.
In simple words: it arranges that personal data is handled with care and respect.
Non-compliance can result in a fine of up to 20 Million EUR or 4% of the annual global turnover.
- Personal data can be processed (*) with a legal ground. E.g. a sales-contract.
- If there is no legal ground, the person can be asked for a consent (freely given, clear and short text). Consent can be withdrawn at any time.
- Persons have the right to ask what data you have on them.
- There are forbidden categories of data, such as racial or ethnic origin, political opinion, believes, genetic data, about sex life or sexual orientation etc.
* “Processing” : collecting, recording, storage, structuring, analyzing.
The main aspects to be arranged are:
1. Governance and Accountability
2. Personal Data Inventory and Mapping
4. Third Party Processors
5. Privacy Notices
6. Information Security
7. Data Subject Requests and Complaints
8. Operational Processes and Procedures
9. Breach Management and Response
10. Training and Awareness
11. Privacy By Design and DPIAs
12. Ongoing Conformance