8 Top GDPR Questions to Prepare for the Upcoming Regulation

8 Top GDPR Questions to Prepare for the Upcoming Regulation

GDPR will take effect on May 25, 2018 and require businesses to adopt a strict set of guidelines to maintain compliance. The regulation requires companies to enact a ‘reasonable’ level of protection for personal data, which, given how broadly it is defined, will be a real challenge for organizations in the months ahead.

There are a number of resources on the web to help you grip the basics – including our expanding GDPR coverage from a data management perspective. However, there are sure to be a multitude of questions that remain since the regulation will impact every organization in a different way.

That’s where Solutions Review comes in. We’ve compiled this list of 8 GDPR-centric questions to ask during your research phase. Considering that a shocking number of companies are unprepared for the May deadline, we suspect that there’s something here for everyone.

1. Does GDPR apply to my organization?

The answer is probably yes. GDPR requirements will force the majority of US-based companies to alter the way they collect, process, and store personal customer data. The regulation has an increased scope of applicability in that it requires all non-EU companies to comply with the new regulations so long as they process or control data belonging to European citizens.

2. What is the objective of GDPR?

Its primary goal is to give individuals more control over their data, as well as provide protections against those that may mishandle personal information. The law will act as a framework to ensure that all the world’s businesses adhere to the same set of standards when handling data belonging to Europeans from the 28 member nations.

3. Who is responsible for obtaining and maintaining compliance?

A Data Protection Officer is an enterprise security leadership role that will be required by the GDPR. This role is responsible for leading the overarching data protection strategy inside an organization as it relates to compliance with the new regulation.

4. Am I a processor or controller?

Organizations are subject to obligations based on whether they are classified as a controller or processor in connection with the data subjects’ personal data. The two are subject to different rules, so it’s both important to differentiate them, and to be sure of which camp your organization belongs.

5. What are the consequences for non-compliance?

Organizations in breach of GDPR can be fined up to 4 percent of annual global turnover or €20 million (whichever is greater). However, there is a tiered approach to fines which depends heavily on the offense. The fines apply to both controllers and processors, which means that the regulation will be enforced on cloud providers as well. There is some uncertainty as to how penalties will be assessed by the governing body, however.

6. What rights do individuals have once GDPR goes into effect?

GDPR grants 8 ‘fundamental rights’ to individuals. You can read a nice summary of them here, but in a nutshell, individuals have the right to know how their information is being held, the right to have their information corrected if inaccurate or incomplete, and the right to retain and reuse personal data for their own purpose. In addition, individuals can also lobby companies to delete their data under the ‘right to be forgotten.’

7. How will Brexit impact GDPR?

According to London-based independent GDPR analyst Chiara Rustici, the regulation will still apply to UK companies that do business within the borders of the European Union. Since the regulation applies to any business that collects data from citizens of the EU, Brexit figures to have only a minor impact on UK-based organizations.

8. Is data stored in third party systems compliant?

There’s a common misconception that using a third party solution like Amazon Web Services or Microsoft Azure satisfies the GDPR mandate in and of itself. This is untrue, and organizations would be wise to reach out to their partners to talk about compliance. External data storage does not absolve the organization from penalty should an issue arise.

Timothy King
Follow Tim

Leave a Reply