The Regulation itself is a long document (118 pages of legalese), and failure to meet the requirements could turn out to be expensive – up to 4% of annual global turnover or €20 million, whichever is greater. The data controller is responsible for demonstrating that the organisation applies to the six principles outlined in Article 5 of the GDPR:
Personal data must be:
1. be processed lawfully, fairly and transparently.
2. be adequate, relevant and limited to what is necessary for processing.
3. accurate and kept up to date.
4. kept in a form such that the data subject can be identified only as long as is necessary for processing.
5. processed in a manner that ensures its security.
and can only:
6. be collected for specified, explicit and legitimate purposes.
These six principles are at the heart of the Regulation, but it’s important to consider other areas, including: consent and documentation of consent, lawful processing, controller/processor contracts, the data protection officer (DPO), accountability and the board, and how to respond to data breaches.
Complying with the Regulation
Because the administrative penalties can be applied so broadly, it is important to understand what your own obligations and exposure are. The first step towards compliance for most organisations will be a data audit: identifying the personal data they already hold, who it has been shared with and where it is now held, and determining what must be done with that data in order to comply with the GDPR.
You will also be required to:
- Provide GDPR-compliant documentation – The regulation requires organisations to provide quite a bit of documentation. Take a look at our GDPR Documentation Toolkit to see what’s required >>
- Deliver appropriate technical and organisational measures (Article 24)
- Secure relationships with your suppliers
A pocket guide on the GDPR
If you need help understanding the Regulation, the broader principles of data protection, what the Regulation means for businesses in Europe and beyond, or any of the issues mentioned above, then I would highly recommend getting yourself a copy of EU GDPR – A Pocket Guide.
Written by internationally acknowledged cyber security expert and leading author on information security and IT governance issues Alan Calder, this pocket guide will help you quickly understand your new obligations.