The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, 无论是居民还是访客的数据.
GDPR深刻改变了人们对隐私的理解, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.
GDPR also changes the way that these laws are enforced and brings potential penalties that are significant in nature. Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization’s total global revenue, 取较大的.
Schneider Downs provides multiple solutions to help our clients achieve and maintain compliance with GDPR:
1. 意识
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. 除了, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.
2. 记录您所持有的个人信息
你应记录你所持有的个人资料, 它从哪里来, 你用它做什么,你和谁分享它. 我们对每个流程使用数据流程图和业务流程图.
3. 沟通隐私信息
您应该查看当前的隐私政策, 程序, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.
4. 个人权利:被遗忘权、数据转移权、数据更正权等.
You should check your 程序 to ensure that they cover all the rights individuals have, 包括如何删除任何过时的数据.g.(被遗忘权)、应要求转移资料或更正任何不正确的资料.
5. 资料当事人查阅资料/索取资料处理资料要求
You should update your 程序 and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, 哪里是这种情况, 查阅个人资料. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.
6. 整理你的数据
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.
7. 处理个人资料的法律依据
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, 记录它, 更新你的隐私声明来解释.
8. 同意
You should review how you seek, record and manage consent and whether you need to make any changes. 如果现有的同意流程不符合GDPR标准,请立即更新.
9. 资料外泄/事件应变计划
您应该确保您有一个事件响应计划来进行检测, 报告和调查个人数据泄露. 计划需要被记录和测试.
10. 处理的安全性
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. 有效的控制不仅保证了持续的安全, 但个人数据的保密性和可用性也必须到位.
11. 数据保护的设计和数据保护影响评估
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, 然后决定如何, 何时或是否需要在您的组织中实现这些.
12. 资料保障主任
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. 如果是这样,这个职位必须向最高管理层报告.
如果您的组织未能及时遵守GDPR,请 访问“我们对”博客 阅读更多关于如何变得合规的建议.
Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
要了解更多信息,请访问我们专门的 IT风险咨询 页面.
Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, 税, 为上市公司和私营公司提供审计和商业咨询bet9平台游戏, 非营利组织和全球性公司. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial bet9平台游戏; Retirement Plan Solutions and Corporate Finance bet9平台游戏. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), 俄亥俄州(哦), 西弗吉尼亚州(WV), 纽约(NY), 马里兰(MD), 以及美国其他州在匹兹堡设有办事处, PA, 哥伦布, OH, 和麦克莱恩, VA.
©2024施耐德唐斯 & Co.公司. 马里兰州牌照号码35239.
每一刻都很重要. 紧急请求, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. 如有其他要求,请填写以下表格.
"*表示必填字段