Regulatory and Audit Compliance
I think I need to comply with the GDPR regulation. How do I know if it applies to me, and if it does, what should I do?
GDPR became a binding Regulation on May 25th of this year. Even if your organization is not headquartered in the European Union (EU), it can still apply, if you are processing the personal data of data subjects residing in the Union, regardless of your company’s location. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Under the GDPR, organizations will have a diverse set of rules to follow in order to insure and prove accountability and compliance.
- maintaining documentation on the personal data being processed and purpose,
- conducting impact assessments for riskier processing, and
- integrating data compliance measures to data processing activities
An important first step is assembling a cross-functional team from within your organization that represents the legal, information management, and information technology functions. All are stakeholders in preparing a risk-based strategy and plan for compliance.
Key questions to consider are these:
- What personal data are we collecting and why?
- Can we minimize what we collect?
- How is it protected?
- Who has access to the personal data?
- Who are we distributing to and how?
Organizations will need to map their data and information flows in order to assess their privacy risks.