Navigate the General Data Protection Regulation with CYTRIO

Proactive data privacy compliance: Data Mapping, Data Protection Impact Assessments, Records of Processing Activities and DSAR Response Workflows

What is the GDPR?

Keeping consistent with the importance of Human Rights in the European Union, the GDPR was created to bolster those rights in a digital era. Passing 2016, effective on May 25th, 2018, GDPR is recognized as the strongest, most comprehensive data privacy regulation in the world. The GDPR protects individuals’ personal identifiable information (PII) from unlawful processing or destruction. Organizations must only collect data to fulfill a legitimate business purpose and must have a legal basis such as consent for data processing. Specific principles and data subject rights need to be followed for compliance and avoidance of severe fines and penalties.

The 7 Rights of GDPR:

The right to be informed that you’ve collected and used personal data

The right to access personal data and how it’s processed

The right to rectify inaccurate or incomplete personal data

The right to erase data

The right to restrict the processing of personal data

The right to data portability

The right to object

The 7 Principles of GDPR

Principle Description
Lawfulness, Fairness, and Transparency Processing must be lawful, fair, and transparent to the data subject
Purpose Limitation You must process data for the legitimate purposes specified explicitly to the data subject when you collected it
Data Minimization You should collect and process only as much data as necessary for the purposes specified
Accuracy You must keep personal data accurate and up to date
Storage Limitation You may only store personally identifying data for as long as necessary for the specified purpose
Integrity and Confidentiality Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality
Accountability The data controller is responsible for being able to demonstrate GDPR compliance with all these principles

Best Practices: How to Comply

Compliance starts with a strategic plan and checklist. Below are a few tips to get going:

Update Privacy Policy to acknowledge that you are aware of GDPR

Review legal basis for processing personal data

Document all data is collected and processed

Data Mapping for personal information fields to each internal database

Appoint a person, team, or Data Protection Officer who can own data privacy

Reporting Metrics for auditing. Show auditors your data landscape, proof of purpose, and all data subject access requests completed to date

Meet proper deadlines (30 days to respond to requests)

What are the fines and penalties for non-compliance?

There are two tiers of GDPR fines:

Less Severe

Fine up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, which ever amount is higher

More Severe

Fine up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, which ever amount is higher

Frequently Asked Questions

Put into effect on May 25th, 2018, the GDPR is a data privacy and security regulation for citizens in the European Union (EU).  Any company, no matter where domiciled, needs to adhere to GDPR if they collects, uses, shares or stores personal information related to EU citizens.

The GDPR is important because it was the first major privacy and security law enacted that gives consumer and citizens of Eu specific controls over how their personal information is collected, used, shares, and stored by companies.  With active enforcement, heavy fines and consequences for non-compliance, companies are required to comply with the requirements of the GDPR.

GDPR impacts any company that collected, uses, shares, or stores personal information from EU citizens,  no matter where the company is located geographically.

GDPR provides EU citizens certain rights over the personal information that a company collects or uses. These rights include Right to Access, Right Erasure (Delete), and others. CYTRIO provides a fast and simple way for the consumer to submit a data subject access request (DSAR). CYTRIO’s out of the box workflows and automated data discovery helps companies reduce the time to respond to a DSAR to minutes while saving 80% cost. CYTRIO also provides Article 30 reports to meet audit requirements.

Data Protection Authorities (DPA’s). DPA’s are independent from the government but work together as a group on the European Data Protection Board
Any individual who has their permanent address in any European country within the European Union
An individual whose data is collected and processed. Must reside in the European Union
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form.
The process of matching fields from one data source to another.
A person who determines the purposes and means of the processing of personal data.
A third-party who processes personal data on behalf of the controller.

Why CYTRIO?

NextGen Privacy Rights Management

State of CCPA and GDPR Privacy Rights Compliance

Q3 2022 Research Report – 9,827 companies researched

Screenshot_4.png