In 2016, the EU Parliament approved the General Data Protection Regulation (GDPR), a regulation that established new rules for data protection and privacy. With the May 25th deadline fast approaching, companies around the world have started to reassess how they process and protect data to ensure they are in compliance with the EU’s new set of regulations.
How do you know if GDPR compliance applies to you? Statistically speaking, it’s very probable that GDPR applies to your company—a PwC survey showed that 92% of U.S. companies consider GDPR a top data protection priority. GDPR applies if your company has:
- A presence in an EU country
- No presence in the European Union but processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects, happens more than occasionally, or includes certain types of sensitive personal data
Basically, every company who processes any data for EU citizens will be affected. Our GDPR overview can give you helpful context on what GDPR is and how to set processes in place to ensure long-term success.
Use these links to browse specific topics:
What is GDPR?
GDPR stands for General Data Protection Regulation, and it is a set of rules and regulations that have been established by the European Parliament to strengthen and unify data protection for EU citizens.
The regulations require businesses to provide a “reasonable” level of protection for personal data and privacy of citizens when transferring or processing personal data within the EU as well as exporting data to places outside of the EU. GDPR establishes a set of customer rights regarding data and takes a broad view of what constitutes personal data, including some information not traditionally considered to be personal data within the United States (e.g. cookie data and IP addresses).
How do I determine whether my company is GDPR compliant?
Companies are GDPR compliant when they meet GDPR standards for personal data protection and privacy, and compliance needs to be in place before the May 25th, 2018 deadline to avoid fines levied by the EU. The standards for compliance are listed in full on the GDPR website, but here are a few key areas that often need to be addressed:
- Establish data security requirements throughout your organization for the full business process.
- Ensure that there are clear, permissible reasons to process personal data, for example a contract, legal consent, etc.
- Confirm that all third-party partners are GDPR compliant, as each partner is equally liable for breaches.
- Establish processes for reporting data breaches to the proper authorities within 72 hours, both internally and for third-party partners, and ensure that contracts are updated to reflect the agreed-upon processes.
- Implement Formal Data Privacy Impact Assessments (DPIAs) when using new technologies and for any data that poses a "high risk" to the rights and freedoms of individuals.
- Establish clear processes so that individuals can easily move, copy, or transfer their personal data across different services within one month of requesting it, free of charge.
- Establish procedures for deleting an individual’s data to support the right to be forgotten when data is no longer relevant or necessary.
- For large companies, designate a data protection officer to ensure compliance is maintained.
Although this list is not comprehensive, it provides a general overview of some of the key compliance requirements.
How does GDPR Compliance affect my company long-term?
Some of the long-term changes that companies will need to make include:
- Making data security requirements accessible and up to date throughout the organization
- Ensuring data breach reporting processes are clear and easy to act on at any time
- Regularly assessing systems to ensure that they still provide a reasonable level of data protection
- Ensuring third parties remain compliant
- Performing impact assessments to mitigate risk of breaches by identifying vulnerabilities and deciding how to address them
- Establishing a risk assessment framework to manage data privacy and ensure compliance
How can I streamline GDPR documentation and processes?
With new processes and procedures to put in place and a need for increased transparency on how systems process data, it’s essential to find solutions that make documentation efficient, transparent, and consistent across the organization. Using collaborative data flow diagrams and process flows, teams and companies can communicate essential systems and process information with clarity and ease.
Map out how data is stored and processed
For both the long-term and the short term, IT and security teams need to understand how data is stored and processed. Data flow diagrams or data mapping process flow diagrams can help teams quickly map data both in transit and at rest, clearly illustrating how internal systems processes information. Here is a data mapping example for GDPR compliance:
Map out processes for retrieving personal data and reporting breaches
To ensure that companies can deliver on an individual’s right to be forgotten and the right to transfer data, as well as report on data breaches quickly and efficiently, it’s important to establish clear processes that are easily accessible to the appropriate people.
Process flows with swimlanes can clearly delineate responsibilities and illustrate exactly what steps need to be taken to carry out a data request or report a data breach. Here’s an example of a process flow diagram:
With Lucidchart’s intuitive drag-and-drop interface, you can easily map out processes and share them with the people who need to see them. Advanced document permission controls give collaborators have the right level of access—editing, commenting, or view-only— to ensure that process flows can only be changed by people who have editing access.
Including embedded diagrams in corporate knowledge bases or document stores like Confluence can help companies to provide auditors with easily digestible overviews of company systems and processes. Whether you use diagrams to communicate with internal teams or establish processes with third parties, process flows can ensure that everyone stays on the same page for GDPR compliance.