The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a law of the European Union (EU) that governs the protection of personal data and privacy rights for EU residents, termed data subjects in the regulation.
In addition, the GDPR addresses the export and use of that personal data outside the EU. This means that organizations outside of the EU who offer services to or manage the personal data of EU residents must also comply with the GDPR. The law provides for enforcement, including fines for regulatory violations.
The GDPR replaced the earlier Data Protection directive in 2018, with binding legal force throughout the EU community. Following are some key changes introduced by the GDPR:
- An organization must report a data breach to its national regulator within 72 hours.
- In calculating penalties and fines, an organization's annual revenue is considered along with other factors.
- Individual data subjects have the right to erasure, to portability, and to access their data records, among other rights.
Compliance actions required by the GDPR include, but are not limited to: conducting awareness training for the data privacy officer and other employees; implementing procedures to track protected data; establishing a process for speedy data breach reporting; ensuring that consents are obtained from data subjects as needed; responding promptly to their requests for data access, and other required actions.
Organizations who are governed by the General Data Protection Regulation may also be subject to the Digital Operational Resilience Act (DORA). This includes financial service providers based in the U.S. who offer their services in the European Union, and U.S.-based providers of information and communication technology to those organizations.
Schedule a Call
Our services for GDPR Compliance
- Assisting in finding and securing personal data that is subject to GDPR.
- Creating policies and procedures required for compliance.
- Reviewing and assessing data privacy measures.