GDPR Print

Overview

Companies that collect European Union citizens’ personal data are required to comply with the General Data Protection Regulation (GDPR). Compliance with the new requirements of the GDPR becomes effective on May 25, 2018 replacing the Data Protection Directive 95/46/ec. Not complying with the GDPR requirements could lead to penalties and fines of non-compliance up to €20 million or 4 percent of global annual turnover. Furthermore, non-compliance has a direct impact on brand reputation and exposes companies to negative publicity that damages consumer confidence.

GDPR aims to require to all EU members a uniform data security law in order to ensure consistency across the entire EU avoiding members need to write its own data protection laws. Subject to the regulation also includes any company that markets goods or services to EU residents, regardless of its location. GDPR requires to develop, document, and implement controls that handle EU citizens’ data to improve safeguarding and security of the processing and the movement of personal data.

The GDPR requirements are organized in 11 chapters and 91 articles, the following have the most important impact on compliance processes and operations:

  • Chapter 2 – Principles
  • o Article 5: Principles relating to processing of personal data

  • Chapter 3 – Rights of the data subjects
  • o Article 17: Right to erasure (‘right to be forgotten’)

    o Article 18: Right to restriction of processing

    o Article 23: Restrictions

  • Chapter 4 – Controller and processor
  • o Article 24: Responsibility of the controller

    o Article 25: Data protection by design and by default

    o Article 30: Records of processing activities

    o Article 31: Cooperation with the supervisory authority

    o Article 32: Security of processing

    o Article 33: Notification of a personal data breach to the supervisory authority

    o Article 34: Communication of a personal data breach to the data subject

    o Article 35: Data protection impact assessment

    o Article 36: Prior consultation

    o Article 37: Designation of the data protection officer

  • Chapter 5 – Transfers of personal data to third countries or international organisations
  • o Article 45: Transfers on the basis of an adequacy decision

  • Chapter 8 – Remedies, liability and penaltiess
  • o Article 79: Right to an effective judicial remedy against a controller or processor

    GDPR Compliance Program

    The GDPR Compliance Program is designed to answer questions raised by any company that stores, processes or transmits EU citizens’ personal data while evaluating and selecting products to support the GDPR requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the GDPR requirements.

    GDPR Compliance Testing and analysis cover several aspects of the product including:

    • Compliance Effectiveness
    • Product Capabilities Support
    • Scope Impact Analysis and Coverage
    • Management and Usability
    • Suitable for Use in and Recommended Configuration
    • Product Roadmap

    GDPR Compliance Testing criteria

    Compliance testing is conducted by trained analysts against the GDPR Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. GDPR Compliance Program criteria rely on GDPR requirements intent from auditors’ perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and also documents the product components submitted by the vendor and the configuration of the product tested.

    Continuous evaluation process

    Compliance Labs has developed the GDPR continuous evaluation process as a fundamental aspect of GDPR Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long term.

    Learn more about GDPR requirements