Proactive data privacy compliance: Data Mapping, Data Protection Impact Assessments, Records of Processing Activities and DSAR Response Workflows
Keeping consistent with the importance of Human Rights in the European Union, the GDPR was created to bolster those rights in a digital era. Passing in 2016, effective on May 25, 2018, GDPR is recognized as the strongest, most comprehensive data privacy regulation in the world. The GDPR protects individuals’ personal identifiable information (PII) from unlawful processing or destruction. Organizations must only collect data to fulfill a legitimate business purpose and must have a legal basis such as consent for data processing. Specific principles and data subject rights need to be followed for compliance and avoidance of severe fines and penalties.
The right to be informed that you’ve collected and used personal data
The right to access personal data and how it’s processed
The right to rectify inaccurate or incomplete personal data
The right to erase data
The right to restrict the processing of personal data
The right to data portability
The right to object
| Principle | Description |
|---|---|
| Lawfulness, Fairness, and Transparency | Processing must be lawful, fair, and transparent to the data subject |
| Purpose Limitation | You must process data for the legitimate purposes specified explicitly to the data subject when you collected it |
| Data Minimization | You should collect and process only as much data as necessary for the purposes specified |
| Accuracy | You must keep personal data accurate and up to date |
| Storage Limitation | You may only store personally identifying data for as long as necessary for the specified purpose |
| Integrity and Confidentiality | Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality |
| Accountability | The data controller is responsible for being able to demonstrate GDPR compliance with all these principles |
Update Privacy Policy to acknowledge that you are aware of GDPR
Review legal basis for processing personal data
Document all data is collected and processed
Data Mapping for personal information fields to each internal database
Appoint a person, team, or Data Protection Officer who can own data privacy
Reporting Metrics for auditing. Show auditors your data landscape, proof of purpose, and all data subject access requests completed to date
Meet proper deadlines (30 days to respond to requests)
Fine up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, which ever amount is higher
Fine up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, which ever amount is higher
The GDPR is important because it was the first major privacy and security law enacted that gives consumer and citizens of Eu specific controls over how their personal information is collected, used, shares, and stored by companies. With active enforcement, heavy fines and consequences for non-compliance, companies are required to comply with the requirements of the GDPR.
GDPR impacts any company that collected, uses, shares, or stores personal information from EU citizens, no matter where the company is located geographically.
GDPR provides EU citizens certain rights over the personal information that a company collects or uses. These rights include Right to Access, Right Erasure (Delete), and others. CYTRIO provides a fast and simple way for the consumer to submit a data subject access request (DSAR). CYTRIO’s out of the box workflows and automated data discovery helps companies reduce the time to respond to a DSAR to minutes while saving 80% cost. CYTRIO also provides Article 30 reports to meet audit requirements.
Q3 2022 Research Report – 9,827 companies researched
