7 Key GDPR Requirements & the Role of Data Governance

View all posts on GDPR / Data Governance & Stewardship

GDPR Key Requirements and Data Governance
As discussed in our previous blog and infographic "What's GDPR and the Penalties for Not Complying" companies can be fined up to €20 million or 4% of their annual revenue (whichever is greater) if they do not abide by the General Data Protection Regulation (GDPR). All organizations need to familiarize themselves with the new GDPR requirements and data subject rights as the first step to preventing fines and penalties. Let's look at the key requirements of GDPR and the best approach towards company-wide compliance. 

Key Components of the GDPR

  • Right to Access
    • The right for data subjects to obtain from a company confirmation as to whether or not personal data on them is being processed, where and for what purpose. The organization must provide a copy of their personal data in an electronic format, free of charge.

  • Breach Notification
    • Companies must notify the Supervisory Authority of any data breaches without undue delay.
    • Customers must be notified of a data breach that’s likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of being aware of the breach.

  • Right to be Forgotten (Right to Erasure)
    • Individuals have the right to require a company to delete their personal data if the continued processing of data is not justified (especially where the data are inaccurate or incomplete).

  • Data Portability
    • Individuals have the right to require companies to transmit their personal data to another company.

  • Privacy by Design
    • Data protection must be included in the design of systems from the beginning – not added later. The GDPR states "The controller shall implement appropriate technical and organizational measures. In an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects."
    • Companies can only hold and process the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

  • Consent
    • GDPR requires “a statement or clear affirmative action” that signals agreement of transferring personal data.
    • Requires parental consent for processing children’s (13-16 years of age depending on member state) personal data

  • Data Protection Officers
    • The hiring of a Data Protection Officer is required for organizations (EU and foreign) whose core activates consist of processing operations which require regular and systematic monitoring of EU individuals on a large scale or of a special category of data relating to criminal convictions and offenses.
    • The DPO is responsible to ensure, in an independent manner, the internal application of the regulations. They are also required to keep a record of all processing operations involving personal data carried out by the institution

The new GDPR requirements state what companies need to do, but it’s up to the companies to figure out how to comply. This is where data governance comes into play.

GDPR Book Cover small.png  

Download our eBook - GDPR Guide: 3 Steps to Readiness
Assess readiness and build a roadmap for meeting GDPR compliance obligations by the deadline - May of 2018.

Data Governance for GDPR 

Companies must have clear insight into the data they have that falls under these regulations: how is it coming into the organization; what happens to it while it is in your control, and what controls exist for it leaving the organization. Successful organizations will architect information capabilities that not only manage the lineage of these data assets, but also actively assess vulnerabilities and risk mitigation activities.

The governance capabilities required by the DPO to monitor, enforce and report on compliance will be critical. Proving due diligence will require DPOs to establish clear linkages between policies and standards, the underlying data, and the associated use of that data across the various business processes within an organization. DPOs building out their dashboards will need to establish metrics and measures that are both transparent and defensible to the regulatory agencies.

Our data governance software solution, Information Value Management®, is foundational for those companies faced with the GDPR challenge. Information Value Management® brings context to your data by capturing business rules, standards, policies and procedures and connecting them not only to the underlying data, but also to metrics, processes, and objectives. For the CDO, CROs and DPOs, Information Value Management® delivers the governance hub that aligns business priorities with compliance requirements. You can easily map out your governance structure in a way that the whole organization understands.

The GDPR is less than a year and a half away.  How is your organization making sure it will avoid penalties, fines and punishments?

Download GDPR Guide