The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation intended to strengthen data protection for people in European Union (EU) countries. The GDPR expands consumer rights surrounding the use of their data, places the responsibility of compliance on Controllers and Processors, spells out specific breach notification requirements, and sets large fines for non-compliance.

The GDPR applies to any organization that handles data of EU subjects, including entities outside the EU. The goal of the GDPR is to provide more power and control to the people regarding how organizations collect and use their personal data.

The Risks of Non-compliance

Failing to be GDPR compliant exposes your organization to significant risk. Fines for non-compliance can reach up to 4% of total global revenue. Several companies, including Marriot, Google, British Airways, and H&M have been issued multi-million dollar fines for GDPR violations. The potential loss of revenue caused by the damage to an organization’s public image and loss of consumer trust can be devastating.

How THarWi Can Help

THarWi provides a full suite of services that help organizations manage and respond effectively to privacy requirements. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their security program on an on-going basis to maintain compliance.

To achieve GDPR compliance organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and maintain records of processing. A risk assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their GDPR obligations, risk exposure, and if their current controls satisfy GDPR requirements.

To reach GDPR compliance organizations need to:

  1. Determine if the GDPR applies to your business

  2. Update privacy policies, notices, and disclosures

  3. Provide consumers a way to submit privacy rights requests

  4. Keep policies and procedures updated and accurate

  5. Document process flows for each type of consumer request

  6. Honor consumer privacy rights