Ten practical steps companies should take to implement GDPR

With the regulation only going into force 25 May 2018, there’s still time time to implement GDPR. Below are ten practical steps to help your company become compliant.

1) Set up a data protection compliance team ASAP; appoint a DPO, if needed, or a person in charge of data privacy

Entities who regularly and systematically monitor data subjects or sensitive data on a large scale must appoint a Data Protection Officer (DPO). Germany-based companies will also continue to require a DPO for companies with at least ten employees.

Appointing a person responsible for data protection compliance is recommended. That person, like a DPO, should have the knowledge, support and authority to carry out changes needed to implement GDPR and meet its requirements. They should be assisted by a team composed of IT, HR and external advisors. This person can also raise awareness on the impact of the GDPR.

2) Map data processing in data register

Companies will no longer need to submit filings with data protection authorities (DPA). Data controllers are, however, accountable and must be able to show they have compliant policies and procedures, particularly since penalties are enhanced (fine of up to €20m or four per cent of worldwide turnover).

It is therefore advisable to document the data a company holds, which will help assess what actions and changes need to be taken. This should take several weeks. Ask yourself:

• Who holds / manages the data? Data controllers, persons or departments responsible, data processors, service providers;
• What data? Categories of data controlled and processed, potential sensitive data, data about children (the GDPR requires parental or guardian consent to collect such data);
• Why? Purpose of data processing (marketing purposes, HR management, etc.);
• Where? Location of the servers, data flows (outside the EU?);
• Until when? Data retention period.

This information should be included in the data register.

3) Assess gap / new requirements

With this data map, companies may assess what documents and procedures need to be amended or implemented and start building an action plan in order to comply with GDPR requirements.

4) Formulate an action plan

Your action plan to implement GDPR should include the following:

• Make sure only data that is strictly necessary is kept;
• Identify a legal basis for each collection (consent, legitimate interest, contract, legal obligations);
• Review information requirements of data subjects;
• Consider how they may exercise their rights (access, rectification, portability, erasure);
• Make sure data processors are aware of new data obligations;
• Check security measures, which need to be adapted to each company’s needs.

5) Map and manage risks

Companies whose activities involve high risks against the rights and freedoms of individuals (large scale processing, sensitive data or profiling) must implement Privacy Impact Assessments (PIAs). PIAs will assess the processing need, and the proportionality of the risks with protection measures. Mapping risks will help assess whether a PIA will be required.

Keep reading for points six to ten on how to successfully implement GDPR

Share this story