The new European General Data Protection Regulation (EU) 2016/679,
which came into force on 25 May 2018, establishes a single legal
framework for the protection of personal and sensitive data in all
EU Member States. Its application is mandatory in all EU countries
and affects businesses across the globe if they serve people residing
within the EU.
The Regulation requires all companies to apply measures to reasonably
protect the privacy of their consumers and privacy from data loss
or exposure to unauthorized persons.
Highlights of the General Data Protection Regulation (GDPR)
- Article 5 of the GDPR summarizes the most important principles
regarding the management of personal data:
- Personal data should be processed in accordance with
law, fairly and transparently
- Limited purpose
- Personal data must be collected and processed for explicitly
defined and legitimate purposes and should not be used incompatible
- Minimize data
- Personal data collected should be limited, adequate
and relevant only to serve the purpose for which they were
- Personal data stored and processed must be accurate
and, where necessary, up to date
- Storage limitation
- Personal data, identifying a person, should be kept
for a period of time that does not exceed what is necessary
to fulfill the purpose that has been collected and processed.
- Confidentiality and integrity
- Personal data must be processed in a way that ensures
their security, including protection against unauthorized
or unlawful processing and accidental loss, destruction
or damage, using appropriate technical or organizational
What should an enterprise do to comply with the new regulation?
Many of the main concepts and principles of GDPR are the same
as those of the previous DPA, so if you are already properly compliant
then most of your compliance approach will remain valid within the
However, there are new elements and important improvements,
so you have to do some things for the first time and some things
It is important to carefully design your approach to GDPR compliance
and gain the support of your staff and / or key people in your business.
You may need, for example, to implement new procedures to address
the new transparency of GDPR and the rights of individuals. In a
large or complex business, this could have major financial implications,
human resource allocation of the IT department, additional work
for your staff, communication impact, and business disruption.
Some sections of the GDPR will have a greater impact on some
businesses than others.
For example, businesses that create or manage a person's profile,
collect their personal data, or process child data, will face more
difficulties in complying with them.
The "road" to full compliance is "long" and the methodology
to be followed "to end" is of strategic importance.
Beginning, each business should record which parts of the GDPR
will have the greatest impact on its business model and pay special
attention to these areas in the process of designing its policies
and the detailed description of its processes.
We can help you define a strategy for your privacy programme, and a tailored approach based on what matters most to your organization and your approach for risk. Every business has unique characteristics requiring a tailored approach to data protection.