The European Union's General Data Protection Regulation (GDPR) was effective on May 25, 2018. The sweeping reforms under the GDPR built on the previous data protection principles in the EU member countries but modernized these principles to provide greater protection and rights to individuals regarding their personal information (PI). The GDPR's data protection rules have served as a model for other comprehensive privacy proposals and laws in Brazil, India, Thailand, and California.
The GDPR has broad reach, including extra-territorial reach. The GDPR applies to organizations (data controllers and data processors) that handle the PI of EU citizens and residents, whether the organizations are EU-based or not. The GDPR applies to organizations that are based in the EU, even if the PI is being stored or used outside of the EU, and to organizations that are not in the EU if:
The following seven key principles under the GDPR provide guidance on how PI must be handled by data controllers and data processors:
The GDPR prescribes the following eight data subject rights:
Processing of PI is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. PI may be processed under the GDPR only as prescribed below:
The GDPR prescribes two tiers of fines based on the severity of the violation. Less severe violations may result in a fine of up to € 10 million or 2% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher. More serious violations may result in a fine of up to € 20 million or 4% of the firm's worldwide annual revenue from the preceding financial year, whichever amount is higher. In the first 20 months since the effective date of the GDPR, the regulators have issued hundreds of fines to companies totaling more than € 114 million.
Companies need an integrated privacy management platform to manage GDPR compliance and to ensure that privacy is embedded as a critical component of their operations. The first step is to understand what PI a company obtains and maintains, where this PI is located and flows within and outside the company, and what measures are in place or need to be in place to protect the confidentiality and security of this PI. Companies must then ensure they can comply with each of the privacy principles outlined in the GDPR, including obtaining consent from data subjects and ensuring access to and portability of PI.
CENTRL's Privacy360 (GDPR Edition) is the most advanced integrated privacy management platform that offers distinct modules for key components that are inter-related.
By using CENTRL's Privacy360, your organization can easily manage a multitude of templates, checklists and questionnaires while providing the control to monitor, evaluate and create audit reports allowing you to focus on the results instead of the process.