EU General Data Protection Regulation (GDPR)

Speak to a GDPR expert

If you’re looking for help with your EU GDPR project, get in touch with our experts, who can advise you on which of our products and services are best suited to your needs.

What is the EU GDPR?

In the European Union (EU), privacy and data protection are fundamental human rights enforced through law. The GDPR supersedes existing national data protection laws across the EU, bringing uniformity by introducing just one main data protection law for organizations to comply with.

Significant and wide-reaching in scope, the Regulation brings a 21st-century approach to data protection. It expands the rights of EU residents to have more control over how their personal data is collected and processed, and places a range of new obligations and responsibilities on organizations to be more accountable for data privacy and protection.

The GDPR – what it means for Canadian and US organizations

The GDPR applies to any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed. Canadian and US organizations with any connection to the EU – whether through subsidiaries, customers, or suppliers – stand to be affected. Organizations should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.

GDPR compliance is not just a matter of ticking a few boxes; the Regulation demands that you are able to demonstrate compliance with its six data processing principles. This involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the transparency, accountability, and individuals’ rights provisions, and building a workplace culture of data privacy and security.

In some cases, the GDPR compliance steps will supplement existing measures that many North American organizations adopt as a matter of good practice or to comply with sector or state privacy laws, e.g. the Health Insurance Portability and Accountability Act (HIPAA).

With an appropriate privacy compliance framework in place, not only will you be able to avoid significant fines and potentially heavy reputational damage but you will also be able to show customers that you can be trusted with their data, and ultimately derive added value from the data you hold.

Summary of the EU GDPR

"When the EU GDPR came into effect on 25 May 2018, it was the first major update to European data protection law for over 20 years. The Regulation gives individuals (known as data subjects) much greater control over how organisations process, or control the processing of, their personal data..."

Watch our 7-minute video for a comprehensive overview of the EU GDPR.

GDPR overview

Click to expand some key changes introduced by the Regulation:

1. Accountability and governance

You must be able to demonstrate compliance with the GDPR. This includes:

Establishing a governance structure with roles and responsibilities
Keeping a detailed record of all data processing operations
Documenting data protection policies and procedures
Conducting data protection impact assessments (DPIAs) for high-risk processing operations
Implementing appropriate measures to secure personal data.
Offering staff training and awareness programs
Where necessary, appointing a data protection officer

Read our GDPR compliance checklist >>

2. The six data processing principles

Personal data must be processed according to the six data processing principles. It must:

Be processed lawfully, fairly, and transparently (‘lawfulness, fairness and transparency’)
Be collected only for specific, legitimate purposes (‘purpose limitation’)
Be adequate, relevant, and limited to what is necessary (‘data minimisation’)
Be accurate and kept up to date (‘accuracy’)
Be stored only as long as is necessary for the purposes specified (‘storage limitation’)
Processed in a secure manner “using appropriate technical and organisational measures” (‘integrity and confidentiality’)

3. Lawful processing

You must identify and document the lawful basis for each processing activity of personal data that takes place. The lawful bases are:

Explicit consent from the individual
The necessity to perform a contractual obligation
Protecting the vital interests of the individual
The organization’s legal obligation
Necessity for the public interest
The legitimate interests of the organization

4. Privacy rights of individuals

Individuals’ rights are enhanced and extended in a number of important areas:

The right of access to personal data through subject access requests (SARs)
The right to correct inaccurate personal data
The right in certain cases to have personal data erased (the ‘right to be forgotten’)
The right to object
The right to move personal data from one service provider to another

5. Valid consent

The GDPR introduces stricter rules for obtaining consent:

Consent must be freely given, specific, informed, and unambiguous
A request for consent must be intelligible and in clear, plain language
Silence, pre-ticked boxes, and inactivity will no longer suffice as consent
Consent can be withdrawn at any time
Consent for online services from a child under 16 is only valid with parental authorization
Organizations must be able to evidence consent

6. Data security and breach reporting

Data controllers and processors must implement technical and organizational measures that are designed to implement the data processing principles effectively.

Appropriate safeguards should be integrated into the processing.
Data protection must be considered at the design stage of any new process, system or technology.
A DPIA (data protection impact assessment) is an integral part of privacy by design

7. Transparency and privacy notices

Organizations must be clear and transparent about how personal data is going to be processed, by whom and why.

When personal data is collected directly from data subjects, data controllers must provide a privacy notice at the time of collection.
When personal data is not obtained direct from data subjects, data controllers must provide a privacy notice without undue delay, and within a month. This must be done the first time they communicate with the data subject.
For all processing activities, data controllers must decide how the data subjects will be informed and design privacy notices accordingly. Notices can be issued in stages.
Privacy notices must be provided to data subjects in a concise, transparent and easily accessible form, using clear and plain language.

8. Data transfers outside the EU

The transfer of personal data to international organizations and countries outside the EU is only allowed:

Where the EU has designated a country as providing an adequate level of data protection;
Through model contracts or binding corporate rules; or
By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.

9. Data breach reporting

Personal data needs to be protected against unauthorized or unlawful processing and against accidental loss, destruction, or damage using “appropriate technical and organisational measures”.

If a data breach does occur, it has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware. Any individuals impacted should also be informed, if there is a risk to their rights and freedoms, such as identity theft or personal safety.

10. DPO (data protection officer)

The appointment of a DPO is mandatory for:

Public authorities;
Organisations involved in high-risk processing; and
Organisations processing special categories of data.

A DPO has set tasks:

Informing and advising the organization of its obligations
Monitoring compliance, including raising awareness, staff training, and audits
Cooperating with the relevant authorities and acting as a contact point

Download our free GDPR compliance guide

Download this free green paper to understand the fundamental principles and rights of the GDPR, and what US organizations must do to comply.

Download now

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (data subject). The Regulation places much stronger controls on the processing of special categories of personal data than the DPA 1998. The inclusion of genetic and biometric data is new.

Personal data

Name
Address
Email address
Photo
IP address
Location data
Online behaviour (cookies)
Profiling and analytics data

The benefits of GDPR compliance

There are great advantages to GDPR compliance. The new law promotes greater transparency and accountability and aims to increase public trust by giving individuals more control over their data. By getting data protection right, organizations will enhance their reputation, and build better, trusted relationships with existing and potential customers.

The business benefits of the GDPR include:

Build customer trust
Improve brand image and reputation
Improve data governance
Improve information security
Improve competitive advantage

How IT Governance can help you get GDPR-ready

IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping organizations address the challenges of EU GDPR compliance.

Browse our wide range of products that can help you meet your GDPR compliance objectives.