Need NDPR/NDPC Compliance Assistance?
Is your company NDPR/NDPC certified?
Our experts can help you achieve and maintain NDPR compliance with our comprehensive review services.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR became enforceable on 25 May 2018.
The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Individuals have the right to be informed about the collection and use of their personal data.
Individuals have the right to access their personal data and supplementary information.
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
Individuals have the right to request the deletion or removal of personal data when there is no compelling reason for its continued processing.
Individuals have the right to restrict the processing of their personal data.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
Organizations must appoint a DPO in certain cases, such as when processing is carried out by a public authority or when core activities involve regular and systematic monitoring of data subjects on a large scale.
Organizations must conduct a DPIA when processing is likely to result in a high risk to individuals.
Organizations must notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it.
Organizations must maintain records of processing activities under their responsibility.
Under GDPR, organizations can be fined up to €20 million or 4% of their global annual turnover, whichever is higher. The level of fines depends on the severity of the infringement and whether it was intentional or negligent.
In addition to fines, organizations may face other enforcement actions, such as: