Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
  • (0)
    eugdpr-blog

    EU GDPR Knowledge base

    A summary of 10 key GDPR requirements

    The European Union General Data Protection Regulation (GDPR) is a set of rules about how companies should process the personal data of data subjects. GDPR lays out responsibilities for organisations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organisation is not complying with GDPR requirements. Understanding GDPR requirements can sometimes be a daunting task, so understand the key requirements through this easy-to-follow GDPR summary.

    1) Lawful, fair and transparent processing

    The companies that process personal data are asked to process the personal data in a lawful, fair and transparent manner. Now, what does this mean? Let us understand this:

    • Lawful means all processing should be based on a legitimate purpose.
    • Fair means companies take responsibility and do not process data for any purpose other than the legitimate purposes.
    • Transparent means that companies must inform data subjects about the processing activities on their personal data.

    2) Limitation of purpose, data and storage

    The companies are expected to limit the processing, collect only that data which is necessary, and not keep personal data once the processing purpose is completed. This would effectively bring the following requirements:

    • forbid processing of personal data outside the legitimate purpose for which the personal data was collected
    • mandate that no personal data, other than what is necessary, be requested
    • ask that personal data should be deleted once the legitimate purpose for which it was collected is fulfilled

    3) Data subject rights

    The data subjects have been assigned the right to ask the company what information it has about them, and what the company does with this information. In addition, a data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.

    See also: 8 data subject rights according to GDPR.

    4) Consent


    As and when the company has the intent to process personal data beyond the legitimate purpose for which that data was collected, a clear and explicit consent must be asked from the data subject. Once collected, this consent must be documented, and the data subject is allowed to withdraw his consent at any moment.

    Also, for the processing of children’s data, GDPR requires explicit consent of the parents (or guardian) if the child’s age is under 16.

    See also: Is consent needed? Six legal bases to process data according to GDPR.

    5) Personal data breaches

    The organisations must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.

    See also: 5 steps to handle a data breach according to GDPR.

    6) Privacy by Design

    Companies should incorporate organisational and technical mechanisms to protect personal data in the design of new systems and processes; that is, privacy and protection aspects should be ensured by default.

    See also: How cybersecurity solutions can help with GDPR compliance.

    7) Data Protection Impact Assessment

    To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. The Data Protection Impact Assessment is a procedure that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed.

    See also: 5 phases of the EU GDPR Data Protection Impact Assessment.

    8) Data transfers

    The controller of personal data has the accountability to ensure that personal data is protected and GDPR requirements respected, even if processing is being done by a third party. This means controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party and / or other entity within the same company.

    See also: Implementing 3 main accountability principles under the EU GDPR.

    9) Data Protection Officer

    When there is significant processing of personal data in an organisation, the organisation should assign a Data Protection Officer. When assigned, the Data Protection Officer would have the responsibility of advising the company about compliance with EU GDPR requirements.

    See also: The role of the DPO in light of the General Data Protection Regulation.

    10) Awareness and training

    Organisations must create awareness among employees about key GDPR requirements, and conduct regular trainings to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data breaches as soon as possible.

    Conclusion: GDPR principles are key for understanding the GDPR

    To conclude, there are a significant number of requirements that relate to EU GDPR. It is important to understand these requirements, and their implications for your company, and implement them within the context of your company. Such implementation would require a dedicated effort, like that of running a project.

    Follow our GDPR Toolkit and implement EU GDPR by yourself.

    Download this free Checklist of Mandatory Documentation Required by EU GDPR and get a perfect overview of all required documents.

    Advisera Punit Bhatia
    Author
    Punit Bhatia
    Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. He has experience on both sides of the table in a variety of industries, serving as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises.