Designed to help customers achieve a greater level of control over their own data, the GDPR has been in place and enforceable in the EU since May 25, 2018. GDPR stands for General Data Protection Regulation. While this important new law did originate in the EU, it is far-reaching and organizations around the world are subject to substantial penalties if they handle EU citizen’s data and are not compliant.
The 7 Principles of GDPR
HPS will help your organization take the necessary actions to get GDPR compliant by helping ensure your organization complies with seven data protection principles when processing personal data:
Lawfulness, fairness, and transparency – When collecting data, organizations must be clear about why data is being collected, how it will be used, and provide further information to data subjects upon request.
Purpose limitation – Organizations must have a legitimate reason for collecting and processing personal information, and can only use data for the designated purpose, and nothing else, unless given consent by the data subject.
Data minimization – Organizations should store only the minimum amount of data required, as holding more data than necessary is potentially unlawful. Data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed”.
Accuracy – Personal data must be accurate, fit for purpose, and current. Organizations should review and delete, or amend, inaccurate information accordingly. Individuals have the right to request that inaccurate or incomplete data be erased, or rectified, within 30 days.
Storage limitation – While the GDPR does not state how long personal data should be retained, once personal data is no longer needed, it should be deleted or destroyed. Data cannot be held for possible future use; however, some exceptions for archiving, research, and statistical purposes do exist.
Integrity and confidentiality – The GDPR states that organizations should have the appropriate levels of security in place to address the risks presented by their processing, that they must ensure that all the appropriate measures are in place to secure any personal data being stored.
Accountability – Organizations must take responsibility for the data they hold, demonstrate compliance with the other principles, and be able to evidence the steps they have taken to demonstrate compliance. This includes evaluating practices, appointing a Data Privacy Officer, creating a personal data inventory, obtaining consent, and carrying out Data Protection Impact Assessments.
To ensure the highest levels of success, HPS has partnered with OneTrust to leverage its technology platform. The OneTrust platform helps operationalize privacy initiatives for organizations and ensure year after year compliance with all routine privacy requirements.
Contact us today to learn more about how HPS can help you build a plan and develop processes to achieve GDPR compliance.