GDPR Data Privacy Regulation Suggested Steps

GDPR Data Privacy Regulation Suggested Steps

This May marks the first anniversary of the European Union’s General Data Protection Regulation having taken effect.

The first statute of its kind, GDPR was a response to an increasing number of security breaches and the exposure of billions of records containing the personal details of countless individuals as a result.

Its purpose was to define “personal data” and put the onus on companies handling storing, and using consumer data to protect it from being inadvertently disclosed or face significant liability in the form of fines for mishandling company-held personal information (under GDPR, authorities can issue a maximum fine of either €20 million or 4% of total global revenue, whichever is higher). In the lead up to its implementation, companies worldwide scrambled to understand and prepare for GDPR’s potential implications. A failure to demonstrate compliance can have a material impact on the organization.

The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection
amazon uk

However, it’s not just GDPR. Now with similar legislation taking effect early next year in the form of the California Consumer Privacy Act (CCPA) and Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), organizations will be racing once again to get up to speed, and in compliance. Additionally, other ordinances aimed at boosting cyber resiliency, like the Australian Prudential Regulation Authority (APRA), put further pressure on organizations to quickly and effectively respond to security breaches.

Breaches on the rise

According to the Identity Theft Resource Center, there were more than a thousand publically reported breaches in 2018 amounting to more than 400 million records exposed (and breaches are almost certainly under-reported). The past month alone saw 79 recorded data breaches contributing to the exposure of more than 3 million sensitive records. With numbers like these, the rationale driving these international, national and state privacy obligations is plain to see; currently Hawaii, Massachusetts, and Washington are also considering state laws concerning data protection and privacy. Subsequently, organizations will increasingly be required to offer more transparency about how they collect, organize and protect customer data, while giving consumers the ability to easily opt-out or remove identifying information while internally ensuring effective controls are in place to protect information assets.

As the definition of “personal data” encompasses essentially anything that may be used to identify an individual – from a job application, to browser histories and IP information - the scope of information companies must safeguard is enormous, notably, the CCPA “personal information” protections include information about devices and households.

Lessons Learned

The good news is that companies can leverage the lessons learned and investments made in preparation for GDPR to expedite compliance for these and future related regulations. Outlined below are eight steps to develop a repeatable framework for protecting data likely to fall under new and existing data privacy regulations.

1. Scope Your Data: Make sure that you understand which data is in scope for your organization. This should include data about your customers and employees (as a Controller), as well as data your process on behalf of other organizations (as a Processor). These regulations are designed to protect citizens’ and/or residents’ data, regardless of where it resides.

Advertisement -shop now!

2. Understand Data Transfer Agreements: Businesses need to clearly understand in which jurisdictions data is being held and from which it’s being accessed to ensure any transfers are accounted for properly and accurately. For instance, under GDPR EU citizens have the right to request a data controller transfer their personal data to another data controller, while the CCPA requires businesses provide personal information in a readily useable format that consumers can transmit from one entity to another.

3. Update Consent Methods or Legal Basis for Processing: Update the methods via which consent is sought from individuals, or how the legal basis for lawful processing of that data is established. This should include assurances that the spirit of data protection principles has been respected. Both GDPR and the CCPA require notification to consumers of privacy practices (prior to or at time of data collection), as well as changes to privacy practices, and specific rights applicable to children.

4. Prepare for Subject Access Requests: Individuals can already request to see a copy of the information an organization holds about them. Under GDPR, businesses cannot charge EU consumers for access of data that may be held and must respond within one month of receiving the request; under the CCPA businesses are required to respond within 45 days. Additional consumer privileges include ‘the right to be forgotten’.

5. Plan for Notification: Under GDPR, data controllers are required to notify the national data protection regulator within 72 hours of a “breach.” This applies when the “data breach is likely to result in a high risk to the(ir) rights and freedoms.” California has a separate, preexisting, data breach notification law, separate from the CCPA, requiring businesses or state agencies to notify residents when their personal information has or has reasonably believed to have been breached “in the most expedient time possible and without unreasonable delay”. Should a single breach impact more than 500 California residents, notification must then be made to the state’s Attorney General.


6. Amend Your Contracts with New Obligations: The legal contracts and policies must reflect suppliers’ obligations to their clients, including consent and requirements. Unlike GDPR, the CCPA does not detail these requirements, but it does obligate businesses to direct their service providers and vendors to delete personal information from their records following a consumer’s request.

7. Revise Your Privacy Policies and Statements: Ensure that the privacy policies and statements to consumers appropriately reflect obligations. Policies should be concise, transparent, intelligible, and free of charge. This includes the tailoring of language to different age groups.

Save 10-50% on computers & electronics

8. Designate a Data Protection Officer: A Data Protection Officer (DPO) or similar individual must be designated under GDPR. This applies to organizations that store a large amount of information about employees or other individuals. In particular, the rule applies to public authorities or those organizations that carry out large-scale monitoring of individuals. Though not similarly required under the CCPA, businesses are expected to implement and maintain “reasonable security practices and procedures” like malware defenses, penetration tests, and data recovery capabilities, among others. Designating a Data Protection Officer can help to ensure these practices and procedures are performing properly.

Both GDPR and the CCPA significantly impact organizations and entities collecting and processing personal data, and violations of either have the potential for considerable economic liabilities. With more legislation expected, every company should ensure they have a robust framework in place along with strong data mapping capabilities to both understand what information they’re collecting, by whom, how it’s being disclosed, and how best to ensure they’re responsive to both consumers and requirements under the law.


Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular UK Tech Reviews

ExpressVPN UK Review: The best VPN service around

ExpressVPN UK Review: The best VPN service around

11 May, 2019

What impressed us about ExpressVPN the most, is that it has gone the extra mile to provide a great user experience. ...

Nintendo Labo VR Kit UK Review: Virtual reality fun for your Switch

Nintendo Labo VR Kit UK Review: Virtual reality fun for your Switch

10 May, 2019

A year after the Nintendo’s buildable Labo kits was intorduced came a wide range of Labo experiences to pick and cho...

Apple 27-inch iMac 2019 UK Review: Power and style

Apple 27-inch iMac 2019 UK Review: Power and style

07 May, 2019

There are many reasons people spend alot of money on an iMac, particularly the 5K 27in model.

Amazon Kindle (2019) e-reader UK Review: Basic no more

Amazon Kindle (2019) e-reader UK Review: Basic no more

20 May, 2019

With the arrival of the 2019 model, the issue of the previous Amazon Kindle being a bit basic have been redressed; you...

Canon EOS R UK Review: A real mirrorless statement

Canon EOS R UK Review: A real mirrorless statement

16 May, 2019

Just like that, the mirrorless camera market has gone from being popular to ruling the waves in a very short time. ...

Lindy BNX-100 Headphones UK Review: Great sound at a good price

Lindy BNX-100 Headphones UK Review: Great sound at a good price

09 May, 2019

The BNX-100 are, like their predecessor, a set of wireless over-the-ear active noise-cancelling (ANC) headphones. They...

Twelve South BookArc UK Review: Simple and beautiful

Twelve South BookArc UK Review: Simple and beautiful

23 May, 2019

The most popular and most iconic Twelve South product of all is the BookArc — a simple piece of curved aluminum...

Team Sonic Racing UK Review: Sega's iconic hedgehog is back

Team Sonic Racing UK Review: Sega's iconic hedgehog is back

22 May, 2019

The kart racer has long been a favourite with game publishers looking to squeeze extra cash out of family-friendly chara...

Apple iPhone XS Max UK Review: It's glorious

Apple iPhone XS Max UK Review: It's glorious

21 May, 2019

Apple told us in 2017 that the iPhone X was a taste of the future, they weren't joking. iPhone XR, iPhone XS and the i...


Home Tech Reviews UK

Mobile Tech Reviews UK


Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time