The GDPR applies to both organizations based in the European Union (EU) as well as those outside the EU but sell their goods/services to the EU, or process and/or hold personal information of EU citizens. This is a step forward for individuals towards achieving greater transparency and control over their personal data, and for businesses becoming more accountable.
The GDPR law applies to ‘personal data’, any information that can be used directly or indirectly to identify the identity of a person. Examples of personal data range from name, location to even the identification number of the person.
To make sure your organization is GDPR compliant, here are some steps you can look into:
Evaluate various areas in your product and company to check for GDPR impact areas.
Bring in changes to your privacy policy and communicate to users of changes made with respect to GDPR.
Make sure enough awareness is created about GDPR in your organization, especially to key people in the decision-making process.
Strengthen procedures in the event of a data breach and having a response plan in place.
Ensure your technical security meets international standards of compliance.
Maintain documentation of all the personal data you have access to, where it is gotten from and how it will be used.
Sign DPAs with all the sub-processors used by your organization.
Include a legal basis explaining the reason your company needs to process personal information in your privacy policy.
Provide an outline of processes relating to personal data for the public to be able to access.
Seek explicit consent and allow existing users to withdraw consent.
Provide easy access to an individual’s personal information on request.
Make sure customers can update their information easily.
Implement Privacy by Design.
Get procedures in place for data portability and management.
Delete data that is not necessary for the company from customers that stopped using your services.
International data transfer has to be on par with GDPR rules.