The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The regulation is specific to the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation applies to any organization doing business in the EU or that processes personal data originating in the EU, 无论是居民还是访客的数据.

GDPR深刻改变了人们对隐私的理解, data protection and personal data in the EU and has wide-ranging effects on anyone processing personal data of data subjects of the EU. A data subject is defined as a person whose personal data is being captured and processed. If your organization captures just one record of an EU data subject, this regulation applies to you.

GDPR also changes the way that these laws are enforced and brings potential penalties that are significant in nature. Penalties for failing to comply with the articles of GDPR may subject the organization to fines up to €20m or 4% of the organization’s total global revenue, 取较大的.

我们如何提供帮助

Schneider Downs provides multiple solutions to help our clients achieve and maintain compliance with GDPR:

• 全面的合规性和差距评估
• Data Protection Impact Assessment (DPIA) and Privacy Impact Assessment project management
• 数据发现和数据分类程序
• Data Protection Officer as a service offering—a Schneider Downs expert can assume this required role for your organization.
• 指导和执行删除或“被遗忘权”程序
• 安全措施的指导和实施, 包括个人资料的匿名化和假名化
• 开发和执行培训和意识项目
• Guidance and implementation of vendor management best practices for ensuring controls over data in the supply chain
• 制定政策和程序，使当前的做法符合要求

施耐德唐斯GDPR合规方法

1. 意识
You should make sure that decision-makers and key people in your organization are aware that regulations are changing. They need to appreciate the impact that these changes are likely to have on your organization. 除了, line-level and larger scale training may be necessary for certain personnel within your organization who handle personal data on a regular basis.

2. 记录您所持有的个人信息
你应记录你所持有的个人资料, 它从哪里来, 你用它做什么，你和谁分享它. We use data flow diagrams and business process maps for each of these processes.

3. 沟通隐私信息
您应该查看当前的隐私政策, 程序, contracts and notices and put a plan in place for making any necessary changes to meet the GDPR deadline.

4. 个人权利:被遗忘权、数据转移权、数据更正权等.
You should check your 程序 to ensure that they cover all the rights individuals have, 包括如何删除任何过时的数据.g., right to be forgotten), transfer data upon request or correct any incorrect information.

5. 资料当事人查阅资料/索取资料处理资料要求
You should update your 程序 and plan how you will handle data extraction requests to meet the 30-day requirement. Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed and, 哪里是这种情况, 查阅个人资料. They also have the right to inquire about the nature of further processing and treatment of their data while it was in the controller’s possession.

6. 整理你的数据
Identify all the data subjects for which you process or store sensitive data and determine whether GDPR applies to their country. Document the supervisory authority for each member country and identify the data controller for each process. You need to also determine who the lead supervisory authority will be based on your overall activities.

7. 处理个人资料的法律依据
You should review your current practices and contracts and identify the lawful basis for your processing activity under the GDPR, 记录它, 更新你的隐私声明来解释.

8. 同意
You should review how you seek, record and manage consent and whether you need to make any changes. 如果现有的同意流程不符合GDPR标准，请立即更新.

9. 资料外泄/事件应变计划
您应该确保您有一个事件响应计划来进行检测, 报告和调查个人数据泄露. 计划需要被记录和测试.

10. 处理的安全性
You should ensure that certain technical safeguards are in place to ensure that risk to personal data is effectively mitigated. Your plan should include techniques such as the pseudonymization and encryption of personal data. 有效的控制不仅保证了持续的安全, but also the confidentiality and availability of personal data must also be in place.

11. 数据保护的设计和数据保护影响评估
You should familiarize yourself now with the code of practice on Data Protection Impact Assessments as well as the latest guidance from the Article 29 Working Party, 然后决定如何, 何时或是否需要在您的组织中实现这些.

12. 资料保障主任
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance model. You need to determine whether you are required to formally designate a Data Protection Officer. 如果是这样，这个职位必须向最高管理层报告.