General Data Protection Regulation

Design and maintain a defensible, compliant General Data Protection Regulation (GDPR) strategy.  

GDPR, Europe’s data privacy and security laws, are the most stringent in the world – carrying hundreds of pages of requirements applicable to any organization dealing with data related to people in the European Union (EU).  

Objectives of the GDPR include:

To harmonize the data protection landscape across all member countries to provide legal consistency for individuals and businesses operating in the EU.  

To implement an improved information governance structure centered on independent national data protection authorities. To strengthen individual rights.
Applicable to all EU organizations and both EU and non-EU companies whose operations include the collection, monitoring, control, or processing of EU residents’ personal data.
Explicitly provides individuals with enforceable rights relating to access, rectification, erasure, objection, portability, and transparency – non-compliance can result in fines, warnings or reprimands, orders to rectify, or limitations on processing (including bans).
Includes specific obligations on companies to conduct privacy impact assessments, audits, or policy reviews; to maintain activity records; and, in certain circumstances, to appoint a data protection officer.
Requires that whenever a controller uses a processor – and if that processor uses another organization like a sub-processor to assist them – there must be a written contract or other legal act in place, as well as what must be included in the contract.
Stipulates that companies must establish a lawful basis for processing personal data such as obtaining consent, and establishes specific mechanisms to facilitate data transfers outside the EU and European Economic Area (EEA).

What GDPR means for you

The adoption of this regulation provides supervisory authorities with expanded powers of enforcement. This includes issuing warnings, auditing, requiring remediation, and suspending data transfers toother countries.

 The regulation empowers authorities to issue substantial penalties for non-compliance – depending on severity, organizations could face up to 4% of annual revenue or 20M, whichever is higher.

Significant fines imposed in the past few years such as Google (€50m – France), TIM (€27.8m – Italy), and Austrian Post (€18m – Austria) are significant not only in their amounts, but also the indication that authorities are becoming increasingly comfortable penalizing non-compliance with a very broad range of infringements including simple over-retention of personal data.

Our GDPR offering

Lighthouse’s GDPR offering includes three components – planning, legacy data remediation, and ongoing support services.

Contact us

A Lighthouse expert is available to answer questions about your GDPR needs.

Related Items

Blog

Mitigating eDiscovery Risk of Collaboration Tools

Solution Overview

General Data Protection Regulation

H5 is now Lighthouse

Read the press release