Follow

General Data Protection Regulation (GDPR)

Level:
Intended audience:
Solution Store:

Advanced
Anyone managing personal data within the EU or across EU boundaries
Click here to access the templates

Introduction

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Parliament, the Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).

Click image to enlarge

It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The data protection reform package includes the General Data Protection Regulation ("Regulation") and the Data Protection Directive ("Directive") for the police and criminal justice sector. 

General Data Protection Regulation (GDPR)

The GDPR will replace the data protection directive (Directive 95/46/EC). It was adopted on 27 April 2016, enters into application 25 May 2018. It does not require any enabling legislation to be passed by national governments.

The Regulation updates and modernizes the principles from the 1995 Data Protection Directive to guarantee privacy rights. It focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The new rules include:

    • Stronger enforcement of the rules: data protection authorities will be able to fine organizations who breach the rules up to 4% of their annual global turnover or €20 Million (whichever is greater) for the most serious infringements.
    • Extended jurisdiction: GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of where the processing takes place who are offering goods or services to EU citizens (paid or free) or monitoring behaviour within the EU. Non-Eu businesses processing the data of EU citizens have to appoint a representative in the EU.
    • Consent: Consent must stand out, use clear language, and include the reason the data is being gathered. It must be simple to both give and withdraw consent.​
    • A "right to be forgotten": If a person no longer wants their data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.
    • Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers.
    • The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk within 72 hours and communicate to the data subject all high risk breaches as soon as reasonably possible so that users can take appropriate measures.
    • Privacy by design: ‘Data protection by design’ means that data protection is included at the start of the design stage for a new system. Controllers can only hold and process data that is absolutely necessary and restrict data access to those who need to process it.
    • Data Protection Officers (DPO): A DPO is mandatory if there is regular and systematic monitoring of people on a large scale, or related to criminal convictions and offences. There are internal record keeping requirements for all organizations. The DPO is appointed on their skill set, may be a member of staff or an external service provider, report directly to the highest level of management, and cannot carry out any other task that could result in a conflict of interest. The organization must provide them with resources and training to execute their tasks successfully. Their contact details must be provided to the relevant Data Protection Authority (DPA). 

The data protection reform package helps business to realise potential through:

  • One continent, one law: a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28. The benefits are estimated at €2.3 billion per year.
  • One-stop-shop: a 'one-stop-shop' for businesses: companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.
  • Technological neutrality: the Regulation enables innovation to continue to thrive under the new rules.

The new rules will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law should they wish to offer their services in the EU.

Data Protection Directive (DPD)

The DPD will replace Framework Decision 2008/977/JHA which previously governed data processing by police and judicial authorities. It enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.

The Directive ensures the protection of personal data of individuals involved in criminal proceedings: witnesses, victims, or suspects. Personal data should be processed lawfully, fairly, and only for a specific purpose. It facilitates a smoother exchange of information between authorities, improving cooperation to prevent crime.  The directive provides robust rules on personal data exchanges at national, European and international level.

Key Benefits

Here are the key benefits of the RequirementONE GDPR Solution.

Improved Data Protection

Reduce the time and expense of implementing the new data protection regulation before GDPR enters into law. Reduce risk within current programs by identifying areas for improvement.

Collaboration

The Framework creates a common language for the discussion of data protection issues that can facilitate internal and external collaboration.

Mapping Controls and Policies

Individual controls and policies may apply to numerous frameworks. These can be maintained as an interlinked set of procedures to avoid duplication of effort.

A Single Point of Truth

Each compliance element is stored as a record and can be updated, commented, controlled and audited individually. Data is accessible to all stakeholders with no version control issues.

Dependency Linking

All links and interfaces can be defined and maintained showing dependencies between various policies.

Reporting

Track the progress of data protection projects. In-line analytics highlight gaps in data protection, traceability of changes and status of data protection efforts.

Auditing

Internal and External audit teams benefit from a specialized interface with full visibility to review and evaluate procedures.

Typical Use Cases

Here is a typical, but not exhaustive, list of roles and associated use cases that would interact with this solution.

Role Use Case
End users
  • Consume the latest policies
Data protection team
  • Use the framework as a guide to implement the relevant controls and policies
Data protection officer
  • Manage and report against data protection
Executive
  • Roadmap to achieve or improve data protection

Templates

These apps and templates are used for the solution.

What Description
Plan
Implementing the General Data Protection Regulation (GDPR) A plan to help businesses implement the GDPR regulation, which can be used to ensure that all policies, controls and procedures are updated before the GDPR becomes law.

GET STARTED
1) Download the Implementing the General Data Protection Regulation (GDPR) specification from the Solution Store
2) Assign each task to a member of the team.
3) Follow each step of the plan according to the plan instructions.
Specification 
General Data Protection Regulation (GDPR) A specification containing the GDPR regulation, which can be used to ensure that all policies, controls and procedures are updated before the GDPR becomes law.

GET STARTED
1) Download the Implementing the General Data Protection Regulation (GDPR) specification from the Solution Store
2) Mark each record to show whether it is applicable to your organization.
3) Link each applicable record to the corresponding policy / control / procedure record
4) As the linked records are updated, mark the status of the work.
5) Use filters to identify work still to be done
6) If there are people in the organization who need to be informed, but do not have access to RequirementONE, Export the completed document to Word. 


Getting started

  1. Select an existing, or create a new project
  2. Click on the Solution Store, and select the GDPR Templates
  3. Once you have the templates, add your custom data and work through the plan.

Additional notes

Combine GDPR with other compliance frameworks to provide a holistic Compliance solution for your organization. 

Related links

Questions or Comments?

Respond to this post if you want to comment on the template or ask the author a question.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk