The General Data Protection Rule (GDPR) is a European Union (EU) law that establishes mandatory requirements for all organizations (and persons) storing and processing personal data of Data Subjects (EU residents) and grants unprecedented rights to Data Subjects, including:

• The right to data portability: Data subjects can request that organizations processing their information provide a copy of that data
• The right to access to information: Data subjects have the right to access the information stored by the organization
• The right of correction: Data subjects can request corrections to their information. 
• The right to be forgotten: Data subjects can request that their data is deleted, given no superseding laws prevent that action

GDPR has a broad definition of Personal Information (PI) that, aside from names, addresses, emails, phone numbers, and identification numbers, includes IP addresses, GPS coordinates, mobile device IDs, browser cookies, and any other elements that may directly or indirectly identify a person. Additionally, GDPR requires organizations to have a legal basis for processing and storing personal information. The six legal bases provided in the law are:

• Data subject’s consent
• Performance of a contract
• Compliance with legal obligations
• Protection of the vital interests of a data subject
• Performance of a task carried out in the public interest 
• Legitimate interests of the organization or third parties

Organizations are also required to protect Data Subjects’ PI and provide a notification to the Supervisory Authority within 72 hours after a  breach has been discovered. GDPR establishes significant fines for non-compliance, up to €20 million, or up to 4% of the annual worldwide revenue of the preceding financial year, whichever is greater.

Virtually all organizations (and persons) that store or process EU residents’ PI must comply with GDPR, even if the organization does not have a presence in EU member countries. GDPR defines two main types of legal entities: Data Controllers and Data Processors. Data Controllers are organizations (and persons) that own the data and establish how this data is stored and processed. Data Processors, typically third-party service providers to Data Controllers, process and store data based on directions provided by Data Controllers.

There are many reasons why companies must comply with GDPR aside from the fact that protecting PI is a legal and moral obligation for all organizations, including:

• GDPR establishes significant fines for non-compliance, up to f to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
• Most enterprises (Data Controllers) have a process in place to assess their vendors’ (Data Processors) compliance with GDPR. If the vendor doesn’t have sufficient policies, processes, and technologies implemented, the Data Controller will not sign a contract with the vendor.
• If a Data Controller or Data Processor experiences a data breach, they will have significant consequences including:
  • Legal penalties
  • Loss of customers’  and consumers’ trust
  • Lawsuits
  • Loss of existing and prospective contracts
  • Public image damage

GDPR is based on seven key principles provided in Article 5 of the regulation. All organizations must demonstrate their adherence to these principles.

• Lawfulness, fairness, and transparency: Data must be processed in a lawful, fair, and transparent way in relation to the Data Subject
• Purpose limitation: Data must be processed only for a specific purpose that is clear to the Data Subject and Data Controller
• Data minimization: Data storage and processing must be limited to only that necessary for executing the purpose 
• Accuracy: Processed data must be up-to-date and corrected whenever necessary. 
• Storage limitation: PI must be stored only for as long as necessary for its legitimate purpose or as required by laws
• Integrity and confidentiality: The integrity and confidentiality of PI must be protected 
• Accountability: Demonstrates the organization’s compliance with the GDPR principles

There is not a one-fits-all approach to GDPR compliance as different organizations have different people, processes, and technologies. Additionally, requirements for Data Controllers and Data Processors are slightly different as well. However, there are general requirements that must be met by all organizations including:

• Implement data privacy policies and procedures
• Create a Data Protection Officer (DPO) role
• Ensure data privacy by design
• Establish a Data Privacy Impact Analysis (DPIA) process
• Ensure a legal basis established for all processed PI
• Implement procedures  for processing Data Subjects’ requests 
• Develop document breach notification procedures
• Sign Data Privacy Agreements (DPA) with applicable third parties
• Ensure the confidentiality and integrity of PI 
• Implement a security awareness and training program
• Ensure the lawfulness of data transfers

Planet 9 employs seasoned professionals with years of experience working in the various industries that can help with addressing all GDPR requirements. A typical approach consists of the following process:

• Conduct a discovery to understand the clients’ organization, business processes, and technologies
• Identify all client’s data and third parties in the GDPR scope
• Perform a GDPR assessment to identify compliance gaps
• Develop a roadmap for addressing the identified compliance gaps and risks
• Assist the client on executing the roadmap

Depending on the clients’ internal resources expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own, or supplement the clients’ team.