Background
The European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, 无论是居民还是访客的数据.
The GDPR has made profound changes to the understanding of privacy, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization's total global revenue, whichever is greater. If your organization hasn’t begun the process to ensure compliance, there are certain highly effective steps that you can take immediately to bring your compliance program to life. 下面是一些开始的步骤和建议.
Raise Awareness
If your organization is late to the GDPR party, chances are there is an awareness issue. Complying with GDPR means taking meaningful actions to change the way your employees use personal data within your business, including being able to respond to incidents and breaches that affect that personal data. 意识过程通过解释来支持所有其他过程, communicating and reinforcing both GDPR requirements and good practice. Therefore, raising awareness of the GDPR at all levels of the organization is imperative.
分类及识别个人资料
Understanding the data that you hold is one of the key steps in understanding how to design a program for GDPR compliance. Your organization should take a multi-disciplinary approach to this process and work with various stakeholders such as business lines, operations, technology, 数据和分析部门, 人力资源和潜在的其他人, based on your business.
You should work to examine and map out your organization’s processes and data flows to identify any data inputs that may be linked to an identified (or indirectly identifiable) person. Where this is the case, the process or procedure handling the data must be identified and inventoried. It is also important to understand that this also applies to paper-based processing of data, for instance, 通过邮寄或其他纸质形式填写的表格. The output of this phase should include business process documentation, data flow diagrams, 个人资料登记册及资料处理登记册.
执行数据保护影响评估
考虑上一步的输出, performing a Data Protection Impact Assessment (DPIA) should be your next step. GDPR要求在某些情况下执行DPIA(例如.g., processing of special categories of data, large scale data processing, etc.). A DPIA should be designed in order to describe the data processing, assess the necessity and proportionality of processing of that data and determine compliance with the GDPR requirements. The assessment should also ensure that the risks to personal data are properly mitigated and the safeguards and security measures in place to protect personal data are appropriate in relation to the risk. Any risks to personal data that are not appropriately mitigated should have a risk treatment plan assigned to them and be tracked through remediation.
If you have any questions related to your organization’s compliance with GDPR, 请致电412-697-5285联系丹·德斯科或 [email protected].
[email protected]
p:412.261.3644
f:412.261.4876
[email protected]
p:614.621.4060
f:614.621.4062
[email protected]
p:571.380.9003
