The EU legal framework on data protection has been harmonized with the objective of establishing a high level of data protection, as highly standardized as possible, for the processing of personal data. The new EU General Data Protection Regulation (EU-GDPR), aimed at improving the protection of personal data, came into force on May 25, 2018.
The introduction of the EU-GDPR requires that all companies review existing data processes and create numerous new processes. In addition, existing models, checklists and contractual documents must be revised. Furthermore, technical and organizational measures must be adapted. Organizations that fail to comply with the new regulation face fines of up to 20 million Euros or 4 percent of their global annual turnover.
Some central aspects of the EU-GDPR have been listed below.
Processing of personal data for clear and legitimate processes only: Generally, personal data must be saved in a form and manner that enables the data subjects to be identified only for as long as this is necessary and for the purposes for which these data are processed. Once they are no longer needed for the purpose for which they were collected, personal data must be deleted. If data subjects withdraw their consent to the use or processing of their personal data, organizations are obliged to delete (‘erase’) the relevant information.
Extended duties of documentation: The GDPR introduces additional obligations for companies, in particular in the field of documentation. While organizations no longer have to maintain a public directory of procedures, the obligation to keep internal records of their processing activities has been maintained and even extended.
Minimizing risk: The EU GDPR pursues a risk-based approach, focusing on the “risks for the rights and freedoms of natural persons.” Such risks may arise in case of personal data breaches. Given this, the regulation requires that personal data breaches must be reported to the competent supervisory authority within 72 hours. Organizations should clearly regulate the roles and responsibilities within their data protection organization and establish and document the processes necessary to mitigate the existing risks.
In certain cases, the EU GDPR requires detailed risk assessment prior to the introduction of data processing. Risk assessment in this context extends from systematic description of the planned activities and purposes of the processing of personal data to documentation of the actions planned to mitigate the risks and ensure the protection of personal data.
TÜV SÜD recommends that organizations identify processes falling under the scope of the GDPR, and that they conduct initial checks by aligning existing processes with the new requirements. As the EU GDPR has already come into effect, it is high time to complete the implementation of compliant processes and systems.
A leading expert on regulatory frameworks and process optimization, TÜV SÜD supports businesses in the process of becoming EU-GDPR compliant.
Understand the key requirements of the harmonized EU standard
Enhance your knowledge of IT and cybersecurity terms
Understand the current climate in cyber threats, learn about the hacker’s mindset
Determine which CMMC maturity level you must achieve to work for the Department of Defense
Select Your Location
Bosnia and Herzegovina