The General Data Protection Regulation (GDPR) is the European regulation on the protection of individuals with regard to the processing of their personal data and the free movement of such data.
While this regulation is not recent (in has been in force since May 2018), during the last years there was a very significant volume of user complaints against the different Agencies, leading to a significant increase in both the number and the aggregate value of the imposed sanctions. In Spain, for instance, the number of sanctions imposed by the Spanish Data Protection Agency increased by 380% during the last years, and the amount of the penalties increased by more than 600% compared to the previous year, with fines of up to 6 million euros.
Compliance with the GDPR regulation requires action by firms in different areas:
- Organizational: there is a need to establish the Privacy Office, adapting its location, functions and sizing, and establishing its links with other areas, as well as developing its governance and privacy policies.
- Processes: firms need to ensure the registration and maintenance of their data processing activities. They also need to implement processes that allow them to properly manage data subject rights and consent, to implement data protection by design and by default, and to ensure secure international data transfers.
- Control: firms need an ongoing control model as well as periodic self-assessment processes.
- Tools: firms need to implement either market tools or tools developed in-house to cover all the different processes.
This regulation applies to any firm that processes personal data of European Union citizens. The areas responsible for compliance with these regulations in an organization are Compliance and Legal as well as the CISO, CIO and CDO roles.