General Data Protection Regulation (GDPR) - Revision history

User at 15:45, 4 January 2023

2023-01-04T15:45:09Z

User at 14:14, 22 December 2022

2022-12-22T14:14:52Z

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T16:03:04Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

User at 15:03, 23 February 2019

2019-02-23T15:03:46Z

Show changes

User at 13:56, 23 February 2019

2019-02-23T13:56:44Z

User: Created page with "'''Content Coming Soon'''"

2018-12-27T07:36:08Z

Created page with "'''Content Coming Soon'''"

New page

'''Content Coming Soon'''

@@ Line 1: / Line 1: @@
-The General [[Data]] Protection Regulation (GDPR) is a legal [[framework]] that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data [[management]] and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.<ref>Definition: What is General Data Protection Regulation (GDPR)? [https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp Invetopedia]</ref>
+The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.<ref>Definition: What is General Data Protection Regulation (GDPR)? [https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp Invetopedia]</ref>
 The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to:
@@ Line 5: / Line 5: @@
 *Protect and empower all EU citizens data privacy
 *Reshape the way organizations across the region approach data privacy.
-GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable [[asset]] – data.<ref>Explaining General Data Protection Regulation (GDPR) [https://eugdpr.org/ EU GDPR.Org]</ref>
+GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.<ref>Explaining General Data Protection Regulation (GDPR) [https://eugdpr.org/ EU GDPR.Org]</ref>
@@ Line 20: / Line 20: @@
 '''Requirements of the GDPR of 2018'''<ref>GDPR Structure and Requirements [https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection Digital Guardian]</ref><br />
-The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential [[impact]] on security operations:
+The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
-*Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more [[control]] over personal data that is processed automatically. The result is that data subjects may transfer their personal data between [[service]] providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
+*Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
 *Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
-*Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. *Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high [[risk]].
+*Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. *Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
 *Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
 *Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
 *Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
-*Article 45 – Article 45 extends data protection requirements to international companies that collect or [[process]] EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
+*Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
 *Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
@@ Line 34: / Line 34: @@
 '''GDPR Compliance Steps'''<ref>GDPR RoadMap [https://www.cmsdistribution.com/steps-general-data-protection-regulation-gdpr/ CMS Distribution]</ref><br />
-Following the General Data Protection Regulation compliance steps detailed below will not only help diminish data breach risks and help organisations comply with the GDPR, build the trust with customers and be able to grow [[business]].
+Following the General Data Protection Regulation compliance steps detailed below will not only help diminish data breach risks and help organisations comply with the GDPR, build the trust with customers and be able to grow business.
@@ Line 44: / Line 44: @@
 *Check if the organisation needs to appoint a Data Protection Officer (DPO) to take responsibility and control of data protection issues in the company.<br />
 Step 2: Data mapping and audit: An essential step in preparing for compliance with the General Data Protection Regulation (GDPR) is conducting a data mapping and audit.
-** Mapping out of all the organisations’ data flows, which is a process of drawing up an extensive [[inventory]] of the data to get a comprehensive understanding of where the data flows from, within and to.
+** Mapping out of all the organisations’ data flows, which is a process of drawing up an extensive inventory of the data to get a comprehensive understanding of where the data flows from, within and to.
 **Start the audit process to assess data protection practices around those flows of information and look at whether you have effective policies and procedures in place.<br />
-Step 3: [[Policy]] development and review: Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.
+Step 3: Policy development and review: Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.
-**Focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, [[Accounting]], [[Marketing]] and etc
+**Focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, Accounting, Marketing and etc
 **Create an action plan which would include all the tasks that need to be completed before GDPR comes into the force
 **Focus on the priorities – key areas where might be high risk of data breaches.<br />
-Step 4: Staff training and awareness: The pivotal component of any organisation’s GDPR compliance framework is [[employee]] awareness and education.
+Step 4: Staff training and awareness: The pivotal component of any organisation’s GDPR compliance framework is employee awareness and education.
 **surveying your employees to evaluate their current understanding about General Data Protection Regulation and their knowledge gaps.
 **create training/workshops to your staff
@@ Line 61: / Line 61: @@
 **Set up appropriate measures to evaluate how the organisation will comply with GDPR requirements.
 *Monitor issues with compliance with data protection legislation
-**Independent testing and [[quality]] assurance to ensure that data protection processes and procedures are being adhered to
+**Independent testing and quality assurance to ensure that data protection processes and procedures are being adhered to
 **Instances of non-compliance should be logged and analysis undertaken to identify trends in non-compliance
 **Establish clear processes for reporting data breaches to the data protection officer to ensure that data breaches are brought to the attention of the regulator within the time frames laid down by the GDPR.
@@ Line 77: / Line 77: @@
 Additionally, companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. "It means the data protection will be a boardroom issue in a way it hasn't in the past combined," Denham says.
-There's also a [[requirement]] for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A blog post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.
+There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A blog post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.

← Older revision		Revision as of 14:14, 22 December 2022
Line 77:		Line 77:
	Additionally, companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. "It means the data protection will be a boardroom issue in a way it hasn't in the past combined," Denham says.		Additionally, companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. "It means the data protection will be a boardroom issue in a way it hasn't in the past combined," Denham says.

−	There's also a [[requirement]] for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A [[blog]] post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.	+	There's also a [[requirement]] for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A blog post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.

@@ Line 1: / Line 1: @@
-The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.<ref>Definition: What is General Data Protection Regulation (GDPR)? [https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp Invetopedia]</ref>
+The General [[Data]] Protection Regulation (GDPR) is a legal [[framework]] that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data [[management]] and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.<ref>Definition: What is General Data Protection Regulation (GDPR)? [https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp Invetopedia]</ref>
 The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to:
@@ Line 5: / Line 5: @@
 *Protect and empower all EU citizens data privacy
 *Reshape the way organizations across the region approach data privacy.
-GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.<ref>Explaining General Data Protection Regulation (GDPR) [https://eugdpr.org/ EU GDPR.Org]</ref>
+GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable [[asset]] – data.<ref>Explaining General Data Protection Regulation (GDPR) [https://eugdpr.org/ EU GDPR.Org]</ref>
@@ Line 20: / Line 20: @@
 '''Requirements of the GDPR of 2018'''<ref>GDPR Structure and Requirements [https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection Digital Guardian]</ref><br />
-The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
+The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential [[impact]] on security operations:
-*Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
+*Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more [[control]] over personal data that is processed automatically. The result is that data subjects may transfer their personal data between [[service]] providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
 *Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
-*Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. *Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
+*Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. *Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high [[risk]].
 *Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
 *Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
 *Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
-*Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
+*Article 45 – Article 45 extends data protection requirements to international companies that collect or [[process]] EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
 *Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
@@ Line 34: / Line 34: @@
 '''GDPR Compliance Steps'''<ref>GDPR RoadMap [https://www.cmsdistribution.com/steps-general-data-protection-regulation-gdpr/ CMS Distribution]</ref><br />
-Following the General Data Protection Regulation compliance steps detailed below will not only help diminish data breach risks and help organisations comply with the GDPR, build the trust with customers and be able to grow business.
+Following the General Data Protection Regulation compliance steps detailed below will not only help diminish data breach risks and help organisations comply with the GDPR, build the trust with customers and be able to grow [[business]].
@@ Line 44: / Line 44: @@
 *Check if the organisation needs to appoint a Data Protection Officer (DPO) to take responsibility and control of data protection issues in the company.<br />
 Step 2: Data mapping and audit: An essential step in preparing for compliance with the General Data Protection Regulation (GDPR) is conducting a data mapping and audit.
-** Mapping out of all the organisations’ data flows, which is a process of drawing up an extensive inventory of the data to get a comprehensive understanding of where the data flows from, within and to.
+** Mapping out of all the organisations’ data flows, which is a process of drawing up an extensive [[inventory]] of the data to get a comprehensive understanding of where the data flows from, within and to.
 **Start the audit process to assess data protection practices around those flows of information and look at whether you have effective policies and procedures in place.<br />
-Step 3: Policy development and review: Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.
+Step 3: [[Policy]] development and review: Building consensus up-front is the key to any successful GDPR compliance project. It needs to be rehearsed from the CEO/managing director downwards.
-**Focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, Accounting, Marketing and etc
+**Focus on the policy development and review. Start from formalising the GDPR project start with the key stakeholders: Management, HR, Operations, IT, [[Accounting]], [[Marketing]] and etc
 **Create an action plan which would include all the tasks that need to be completed before GDPR comes into the force
 **Focus on the priorities – key areas where might be high risk of data breaches.<br />
-Step 4: Staff training and awareness: The pivotal component of any organisation’s GDPR compliance framework is employee awareness and education.
+Step 4: Staff training and awareness: The pivotal component of any organisation’s GDPR compliance framework is [[employee]] awareness and education.
 **surveying your employees to evaluate their current understanding about General Data Protection Regulation and their knowledge gaps.
 **create training/workshops to your staff
@@ Line 61: / Line 61: @@
 **Set up appropriate measures to evaluate how the organisation will comply with GDPR requirements.
 *Monitor issues with compliance with data protection legislation
-**Independent testing and quality assurance to ensure that data protection processes and procedures are being adhered to
+**Independent testing and [[quality]] assurance to ensure that data protection processes and procedures are being adhered to
 **Instances of non-compliance should be logged and analysis undertaken to identify trends in non-compliance
 **Establish clear processes for reporting data breaches to the data protection officer to ensure that data breaches are brought to the attention of the regulator within the time frames laid down by the GDPR.
@@ Line 77: / Line 77: @@
 Additionally, companies that have "regular and systematic monitoring" of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff – although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. "It means the data protection will be a boardroom issue in a way it hasn't in the past combined," Denham says.
-There's also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A blog post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.
+There's also a [[requirement]] for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person's information they have to clearly explain that consent is being given and there has to be a "positive opt-in". A [[blog]] post from Denham explains there are multiple ways for organisations to process people's data that doesn't rely upon consent.

← Older revision		Revision as of 13:56, 23 February 2019
Line 1:		Line 1:
−	'''~~Content Coming Soon~~'''	+	The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR came into effect across the EU on May 25, 2018.<ref>Definition: What is General Data Protection Regulation (GDPR)? [https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp Invetopedia]</ref>
		+
		+	The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and is designed to:
		+	*Harmonize data privacy laws across Europe,
		+	*Protect and empower all EU citizens data privacy
		+	*Reshape the way organizations across the region approach data privacy.
		+	GDPR reshapes the way in which sectors manage data, as well as redefines the roles for key leaders in businesses, from CIOs to CMOs. CIOs must ensure that they have watertight consent management processes in place, whilst CMOs require effective data rights management systems to ensure they don’t lose their most valuable asset – data.<ref>Explaining General Data Protection Regulation (GDPR) [https://eugdpr.org/ EU GDPR.Org]</ref>
		+
		+
		+	== GDPR Timeline ==
		+
		+	'''Below is an illustration of the GDPR timeline'''
		+
		+	[[File:GDPR_Timeline.png\|300px\|GDPR Timeline]]<br />
		+	source: [https://www.planhat.com/eu-data-directive-2018/ Planhat]
		+
		+
		+	GDPR Structure
		+	The GDPR itself contains 11 chapters and 91 articles. The following are some of the chapters and articles that have the greatest potential impact on security operations:
		+
		+	Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).
		+	Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
		+	Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 specifies requirements for single data breaches: controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach such as the nature of it and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breaches place their rights and freedoms at high risk.
		+	Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
		+	Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer; these officers serve to advise companies about compliance with the regulation and act as a point of contact with SAs. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of human resources processes.
		+	Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
		+	Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
		+	Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.