There are seven key principles of GDPR, and there are a number of practical ways in which a company needs to be compliant. Broadly, these can be broken down into the following key areas:
Individuals have the right to access their personal data, correct errors in their personal data, have their personal data deleted, object to the processing of their personal data, and export their personal data. Systems and processes must be put in place to facilitate this.
Security & Internal Control
Organisations are required to take all reasonable measures in protecting personal data. GDPR technical requirements vary depending on data processing activities, but some measures apply to all organisations. Systems must be hardened against attack and password policies implemented and enforced. If a data breach occurs, the relevant supervisory authority must be notified within 72 hours. Consent must be obtained for processing data, and records detailing data processing must be kept.
Organisations are required to provide clear notice of data collection, detail data processing purposes and use cases, and define data retention and deletion policies.
A data Protection Officer (DPO) must be appointed if you are a public body, or if you carry out certain types of processing activities. All employees involved in the control or processing of personal data should receive appropriate training.