But first, let’s start with dispelling two myths regarding the GDPR:
Myth #1: GDPR compliance is the homework of the legal or IT department only. The fact is, protecting personal data is not solely the responsibility of the legal or the IT department. Personal data can originate from or be processed by many other departments or areas in an organization. So, all areas involved in the “data processing chain” must follow the GDPR principles in their respective business processes.
Myth #2: Only companies in the European Union shall comply with the GDPR. The fact is, as soon as your organization conducts business in Europe or processes personal data of EU citizens, even if your company is not located there, you must obey the GDPR.
If you don’t follow the GDPR rules, administrative fines up to 4% of your company’s total worldwide annual turnover or 20 million EUR, whichever is higher, can be imposed. So, you should not take this easy as the penalty can threaten your business continuity. Before you address the concrete requirements of the GDPR, it is important to understand that the main objectives of this regulation are:
(1) to give EU citizens protection with regards to the processing of their personal data, and
(2) to create transparency about the movement of personal data in the EU region.