Request a Proposal
Compliance Council Location


28 November 2017
GDPR, Information Security

What are the main requirements of GDPR?

Coming May 2018, any company that is operating within EU or outside its boundaries, which has access to personal data of EU citizens will have a new set of regulations to comply with. With these new standards set by General Data Protection Regulation consumer rights relate to their personal data will be protected. As per EU GDPR, any company, whether it is present in EU countries or not, if it has access to EU citizen’s personal data, it is bound to comply with the new regulations.

Read on to know more about the major requirements of GDPR

Main Requirements of GDPR

Individual’s Consent

If an organisation wants to store data about a consumer that belongs to EU countries, they must obtain their consent first. The minimum age of a person who can give their consent has been increased to 16 from 13.

Breach Notification

Any company that has access to the EU citizens must notify EU government in case of a data breach event. This notification must be made within 72 hours of discovery of that incident that has led to a security breach.

Availability of Data in Machine-Readable Format

As per new regulations laid by EU GDPR, organisations are required to maintain consumer data in a machine-readable and commonly used format. This is due to the fact that individuals are now given the right to transport their personal data from one controller to another. Therefore, organisations are bound to provide them their personal data if requested by them.

Sharing of Data

Upon the request of the EU citizens, controllers hired by organisations will have to delete their personal data. Moreover, they will also be obliged to stop sharing data with third-parties.

Purpose of Data

EU GDPR provides customer right over their data. They can get hold of electronic companies containing private records of the processing, use, and purpose of their personal data. Organisations are bound to provide all this information to consumers upon their request.

Data Processing Officer

Any company, which is storing consumer data on a large scale, needs to hire a Data Processing Officer to supervise their policies related to data access and use. An existing staff member can fill up this post. Organisations can also make a new hiring or appoint a contractor to perform the duties of a DPO.

Privacy by Design – A Legal Requirement

According to new regulations by EU GDPR, privacy by design will be considered as a legal requirement. Every product or process by a company must be according to the security regulations right from the design phase.

Failing to comply with the regulations can result in a fine of 20 million Euros or 4% of their previous year’s global turnover.

To sum it up, if your organisation is dealing with consumer data in EU, the first thing you need to do is to identify the data your company is accumulating, the purpose it is accessed, and the systems/channels used for its processing. Make sure you are following all the regulations of ISO 27001 and information security management system.


GDPR Information Pack - May 2018