The General Data Protection Regulation (GDPR), which took effect in May of 2018, was implemented to standardize the handling of personal data across the EU and EEA. The regulation was introduced with the intent to protect data privacy and to offer individuals a greater level of control over their data and how it is used. Any company that handles the personal data of EU residents (regardless of where the actual processing occurs) must now comply with the requirements set forth by the GDPR.
Under the GDPR, organizations that are found to be in violation of the most serious violations (such as processing customer data without sufficient consent) can receive fines of up to 4% of their annual revenue or €20 Million, whichever is greater.
What is GDPR Compliance?
For companies who control or process the personal data of individuals located within the EU, the implications of the GDPR for will be significant. And compliance to the GDPR is compulsory. The GDPR calls for comprehensive changes to business practices that can impact areas of the company, including finance to HR, Marketing, Sales, and Customer Support. And companies that work with partner organizations must ensure that these entities are also GDPR-compliant.
The most important aspects of the GDPR include:
The requirement of a Data Protection Officer (DPO)
A DPO is appointed by a company to design and implement the its compliance program and ensure it meets the GDPR standards and guidelines.
The requirement of Pseudonymization
Any firm that processes data from a EU citizen must sufficiently remove personally identifiable information. This requirement can present challenges for companies that leverage marketing automation software or similar technologies and services.
The “Right to Forget”
This requirement compels firms to remove all record of an EU citizen upon their request. This includes numerous pieces of data, such as website visit, IP addresses, and more. The “right to forget” has led to a great deal of debate over questions regarding how to handle backups and the legal enforcement.
What is a GDPR Gap Analysis?
A GDPR Gap Analysis is an exercise that assesses the current status of your organization’s compliance with the GDPR and helps find and prioritize the areas that require immediate attention. A GDPR Gap Analysis can be performed in a do-it-yourself approach or through a consultant-led engagement. In either case, there are a number of defined areas that need to be addressed in the analysis.
Data Protection Governance
Determines whether you have the required controls in place for:
Data protection responsibility and accountability
Policies and procedures
Performance analysis
Reporting
Risk management
Ensure your organization utilizes suitable privacy risk management practices, including how you manage the rights of data subjects.
Project Resource Management
Outlines how you apply and manage resources to your compliance program.
Data Protection Officer (DPO)
Addresses your appointment of a Data Protection Officer.
Roles and Responsibilities
Determines the current level of staff awareness and training. Ensures your compliance program defines employee roles and responsibilities in achieving GDPR compliance.
Scope
Examines the definition and extent of your compliance obligations. Helps to ensure you have considered all data processing and data sharing activities for your organization.
Personal Data Process
Confirms that you have applied processes and procedures for each GDPR tenet concerning personal data. Ensures your implementation of a suitable Data Protection Impact Assessment (DPIA) process.
Personal Information Management System (PIMS)
Verifies that a suitable program is in place to record your GDPR compliance activities.
Information Security Management Systems (ISMS)
Ensures your organization adheres to the GDPR requirement for protecting personal data with “appropriate technical and organizational measures”.
Rights of Data Subjects
Confirms that you have developed a process for enabling the rights of data subjects.
eLearning and GDPR Gap Analysis
A primary concern of any organization looking to ensure GDPR compliance is in creating employee awareness of their roles and responsibilities in adhering to the regulation. The use of eLearning tools and technologies has proven to be extremely valuable in creating these learning opportunities for employees.
LMS Portals provides a cloud-based platform that allows you to launch and manage your own corporate-branded eLearning portal for GDPR training. Our system lets you quickly and easily develop and deliver learning content and includes supporting tools for employee onboarding, engagement, online communications, program measurement, and more.
Contact us today to get started for free!
Comments