With the regulation only going into force 25 May 2018, there’s still time time to implement GDPR. Below are ten practical steps to help your company become compliant. 1) Set up a data protection compliance team ASAP; appoint a DPO, if needed, or a person in charge of data privacy Entities who regularly and systematically monitor data subjects or sensitive data on a large scale must appoint a Data Protection Officer (DPO). Germany-based companies will also continue to require a DPO for companies with at least ten employees. Appointing a person responsible for data protection compliance is recommended. That person, like a DPO, should have the knowledge, support and authority to carry out changes needed to implement GDPR and meet its requirements. They should be assisted by a team composed of IT, HR and external advisors. This person can also raise awareness on the impact of the GDPR. 2) Map data processing in data registerCompanies will no longer need to submit filings with data protection authorities (DPA). Data controllers are, however, accountable and must be able to show they have compliant policies and procedures, particularly since penalties are enhanced (fine of up to €20m or four per cent of worldwide turnover). It is therefore advisable to document the data a company holds, which will help assess what actions and changes need to be taken. This should take several weeks. Ask yourself: • Who holds / manages the data? Data controllers, persons or departments responsible, data processors, service providers; • What data? Categories of data controlled and processed, potential sensitive data, data about children (the GDPR requires parental or guardian consent to collect such data); • Why? Purpose of data processing (marketing purposes, HR management, etc.); • Where? Location of the servers, data flows (outside the EU?); • Until when? Data retention period. This information should be included in the data register. 3) Assess gap / new requirementsWith this data map, companies may assess what documents and procedures need to be amended or implemented and start building an action plan in order to comply with GDPR requirements. 4) Formulate an action plan Your action plan to implement GDPR should include the following: • Make sure only data that is strictly necessary is kept; • Identify a legal basis for each collection (consent, legitimate interest, contract, legal obligations); • Review information requirements of data subjects; • Consider how they may exercise their rights (access, rectification, portability, erasure); • Make sure data processors are aware of new data obligations; • Check security measures, which need to be adapted to each company’s needs. 5) Map and manage risks Companies whose activities involve high risks against the rights and freedoms of individuals (large scale processing, sensitive data or profiling) must implement Privacy Impact Assessments (PIAs). PIAs will assess the processing need, and the proportionality of the risks with protection measures. Mapping risks will help assess whether a PIA will be required.
Keep reading for points six to ten on how to successfully implement GDPR
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.