This new legal framework has the main objective of guaranteeing the privacy and integrity of EU consumers' data and defines that all citizens have the right to know how their data is being used, as well as the right to have their data completely erased if so requested.
Find out what will change with the entry into force of this new regulation and understand in which areas you should act to ensure your company is in compliance:
- Fines can reach 20 million euros or 4% of global turnover for companies in non-compliance.
- EU rules must apply if personal data is processed abroad by companies active in the EU market or if these organisations record the behaviour of individuals in the EU.
- Top management must understand the implications of the new regulation and create a transformation program to comply with GDPR, involving areas such as the Legal Department, Marketing or IT areas.
- Companies must carry out internal audits to define: what type of information they collect, how the information is stored, who can access the information and with whom it is shared.
- Consent for data collection must be explicit from the holder of the personal data and must be recorded.
- Service outsourcing contracts should be reviewed, as the GDPR also applies to subcontractors established in the EU.
- It must be SRI Directive complied with(Network and Information Security Directive), which imposes a minimum level of security for digital technologies, networks and services, and also requires (particularly for entities such as those in the health sector) to report incidents with a significant impact on the security of networks and information systems. Entities that are part of the NHS must notify the breach of personal data, whenever possible, within 72 hours of becoming aware of it.
- A data protection officer will be mandatory for some companies (for example, if they process sensitive data). This will be the person within the company responsible for complying with the obligations of the regulation.
- Companies will have to adopt data protection principlessince conception (privacy by design) and data protection by default (privacy by default).
- Organizations should carry out information security training actions aimed at all employees and create permission levels that restrict access to data according to the functions and needs of each employee.
Want to know more about the GDPR and how can PHC software help you comply with the regulation? Click here to consult our information space about the GDPR
