There are a number of key requirements that organization must fulfill to be GDPR complaint as follows:

1. Obtaining consent

The terms of consent in the GDPR must be clear. This means that organizations should avoid padding their terms and conditions with complex language designed to confuse their data subjects. Consent should be easily provided and withdrawn at any time.

2. Breach notification

If a security breach occurs, companies have 72 hours to report the data breach to both their data subjects and the relevant EU regional authority. Failure to report breaches within this timeframe will lead to significant fines.

3. Right to data access

If an individual (Customer/ Employee) requests his/her existing data profile, organizations must be able to provide a detailed electronic copy of the data that was collected. This report should also include the different ways in which the individual’s data is being utilized.

4. The right to be forgotten

In Canada, this requirement is known as ‘the right to data erasure’. Once the original purpose or use of the customer data has been realized, any individual has the right to request the entire deletion of his/her data.

5. Privacy by design

This section of GDPR requires organizations to design their systems with the proper security protocols in place from the start. Failure to design systems of data collection appropriately will result in a fine.

6. Potential data protection officers

In some cases, an organization may need to appoint a Data Protection Officer (DPO). The need depends upon the size of the organization, and how sensitive the data is that it controls/ processes.