Welcome to part two in a four part blog series about the European Union’s GDPR. In our previous blog, we discussed highlights and FAQ on the GDPR. Now, let’s move on to the GDPR‘s requirements and easy ways you can satisfy them.
In a nutshell, the GDPR defines rules that govern personal data processing and it leaves no stones unturned. Starting from how enterprises need to collect and store data to how it’s transmitted, modified, and audited for change.
Ground rules
Before we discuss the GDPR‘s requirements, let‘s go over the ground rules.
- Based on your business context, you need to identify the personal data that your enterprise is going to deal with.
- Learn who your enterprise will be collecting data from and why it’s being collected.
Understanding these two ground rules will help you form the basis for auditing measures that will prove your compliance with the GDPR.
Get access to all the resources related to the GDPR from our exclusive GDPR zone.
The mighty rules on personal data collection
- Consent is crucial: The GDPR explains how personal data should be collected from data subjects. If enterprises are getting consent from data subjects in a written format (consent declaration), then it should be drafted using clear and plain language.
- Forms of getting consent: Enterprises can get consent from data subjects using:
- Written statements on their website with a check box that indicates that the data subjects agree to the statement and consent to the organization using their data for specific purposes.
- Technical settings options in information society services or social media sites that indicate data subjects accept the processing of their personal data. Ensure that such technical settings are not enabled by default.
- Forms of getting consent: Enterprises can get consent from data subjects using:
- State the purpose: Clearly communicate to the data subjects why the data is being collected and assure them that the data will not be processed for any other purposes. If the data is being collected for more than one purpose, you must explicitly list each one.
Post data collection action plans
Alright, we‘ve seen how you need to go about getting consent from individuals while collecting data. Now that you have the data in hand, follow these action plans to help you through GDPR auditing:
- Isolate personal data: Keep data subjects’ personal data separate from the rest of your enterprise’s data. Effective auditing can be done if the personal data is isolated from the rest of the data. Auditing user accesses, data modifications, and data deletion, and managing permissions to personal data is easier if the data is isolated.
- Be aware of the storage period: The GDPR states that enterprises should not store personal data for longer than was stated in the consent document. Isolating personal data also helps you monitor how long the personal data is stored. Certain security solutions can also provide notifications if the personal data storage exceeds the stated time period.
- Track access: Grant access to only those who are authorized to process the data. Keep an eye on the privilege permissions that are being granted. Establish proper measures to monitor the permission grants, privilege escalations, and user activities happening on the storage system where the personal data is stored.
So that’s it for the GDPR‘s data collection rules. Watch out for the next blog on data processing requirements of the GDPR.
Want to check your GDPR-readiness? Take this simple survey.