What is the GDPR and How Do I Ensure My Business is Compliant?
The General Protection Data Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. It replaces the existing EU Data Protection Directive, also known as Directive 95/46/EC, and integrates data protection laws from across the European Union by applying a single, binding data protection law for all member states.
The new regulation represents a significant expansion of the existing directive. The changes were designed to strengthen individual rights around the consent of submitting personal data, as well as individuals’ ability to control their data after submission. This includes a section on data erasure called the “Right to be Forgotten.”
GDPR also spells out new policies and procedures for Controllers and Processors of EU data subjects. In that vein, here are some important questions that will help you determine the law’s applicability to your business, some tips for gaining compliance, and a look at how HorizonIQ is approaching the sweeping new regulation. If you want to delve further, take a look at GDPR at the official website.
How do I know if GDPR will apply to me?
If you’re wondering why there seems to be so much coverage of GDPR in U.S. media, here’s the reason: The regulation applies not just to EU entities or those with operations in the EU, but to all organizations that hold or process an EU citizen’s personal data.
In light of that critical point, ask yourself these questions:
- Does my organization process, transmit, store EU client data?
- What type of personal data does my organization collect/store?
- Does my organization ensure it does not hold such data longer than is necessary?
- Does my organization keep such data safe and secure, using a level of security appropriate to the risk?
- Is encryption necessary to protect the data stored by my organization?
- Does my organization limit access to ensure such data is only being used for its intended purpose?
- Does my organization transfer such data outside the EU, and if so, does my organization have the necessary technologies and processes in place to protect such data?
If GDPR applies to me, what can I do to become compliant under the new law?
The following tips can be used as a guide to comply with GDPR. These recommendations should in no way be considered legal advice. If GDPR applies to your organization, you should consult with an attorney to guide you through the many complexities of the regulation and its applicability to your use case.
1. Understand the law – Know your obligations as it relates to collecting, processing, and storing data, including the law’s many special categories.
2. Create a roadmap – Perform data discovery and document everything – research, findings, decisions, actions and the risks to data.
3. Know which data is regulated – First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
4. Begin with critical data and procedures – Assess the risks to all private data, and review policies and procedures. Apply security measures to production data, and then extend those measures to backups and other repositories.
5. Assess and document other risks – Investigate any other risks to data not included in previous assessments.
HorizonIQ’s Commitment to GDPR Compliance
The security of our global infrastructure is HorizonIQ’s number one priority. Since the law’s passage in 2016, our security and compliance team has been diligently preparing for implementation.
In addition to a thorough review and update to our customer privacy and security policies, HorizonIQ maintains EU-US Privacy Shield Compliance, enters into data processing agreements with its customers if GDPR applies to the processing of their data, and enters into sub-processing agreements with vendors when necessary. We’re also committed to offering first-rate, best-practice security services across all of our products.
For a full breakdown of our processing roles and responsibilities, as well as our commitment to customers as a data controller, please visit our GDPR page.
Updated: January 2019
