Hit enter to search

Your 10 essentail GDPR requirements - Part 1

Author Avatar
Geert Van de Steen
Chief Information Security Officer , EASI

The authorities are getting up to speed in handling complaints and breaches, and yes, they do impose fines. Here is your checklist, in simple wording, what it takes to make you as compliant as possible to the GDPR regulation.

The General Data Protection Regulation is not an easy document to understand. It demands knowledge and perseverance to struggle your way through the whole legislation. and even then there is still room for discussion. No many companies take the effort to find out if they are in violation of the GDPR law. However, I believe they should. 

Processing of personal data

This is a good place to start. Since organizations must process personal data in a lawful, fair and transparent manner. What does that mean? 

  • Lawful: means that the processing of the personal data must be based on a legitimate interest. There are only 6 of them available, described here
  • Fair: Organizations shall not process personal data for another purposes than the legitimate interest. Just be honest and do what you promise.
  • Transparent: Organizations must inform the data subjects how they process the personal data.

Limit the processing of personal data

You should limit the processing of personal data and collect only what is really necessary. You cannot keep the personal data once the purpose of the processing is finished. Conclusion:

  • Do not process personal data outside of your legitimate purpose
  • Only process the personal data you need
  • Delete the personal data if the legitimate purpose is fulfilled. Yes, you cannot keep it any longer, it's against the law.

Data subjects have rights 

Any data subject - which basically means a natural person, it might be you - has the right to:

Consent 

If the lawfulness of the processing of personal data is based on consent of the data subject, a clear and explicit consent of the data subject must be asked. Organizations should store and document this consent.

The data subject is always allowed to withdraw this consent. For the processing of personal data of children, organizations should take extra measures

Personal Data Breach

Organizations should have a register of all data breaches. The Data protection Authority must be notified when the risk and freedoms of the data subjects are high in case of a data breach. An evaluation must be made to also inform the data subjects themselves.

In my next article, I'll deal with more GDPR related items like Privacy by Design, DPIA, Data transfers and much more.

NIS2 whitepaper

Current job openings

Get our top stories in your inbox every month

Follow us

  

Share this article