25th May 2018…
The General Data Protection Regulation is approaching fast. With only a year left to prepare, many companies are starting to wonder how to get started on GDPR implementation. Some might think they should start by actually reading the Regulation but, truth be told, after reading the 99 articles you might find yourself more confused than before.
First step: awareness
The one thing everyone seems to agree on is that awareness is key for compliance. This is something addressed not only to your CEO, CSO or CTO but to all the key people in your organization and to those who work directly with personal data. Whether you start with a training, on-site or online courses, make sure your employees know the regulation’s requirements in order to get started on GDPR compliance projects.
What data do you process?
Once the first step is out of the way, next you need to starting looking at the type of data you process. You need to be able to answer questions like “whose data you have, where and how is it stored, did you share it with others – if yes, with whom and do you have consent for all processing activities on that data”. Do you share data internationally? If yes – are the other countries in the EU or are they outside? If they are outside, you need to make sure they are also compliant with the GDPR.
EU Citizens Rights
Next, make sure you cover all the EU citizens rights. You can read more about these rights here. Make sure the procedures you have in place ensure that you respect all of these rights. You might find you need to implement new procedures in order to get started on GDPR as it puts a great emphasis on data subject’s rights. We will be discussing more about some of these rights in future blog posts, so if you feel certain aspects are unclear to you, stay tuned. Take into consideration the fact that you have to be able to give data subjects access to their data. Make sure this is clearly implemented in your procedures, updating them if necessary.
Do not forget about consent!
Consent, one of the “hottest” topics of the General Data Protection Regulation is another aspect to consider when working towards GDPR compliance. Start by reviewing your current methods: how are you asking for consent and how do you record it? Also, are you currently giving your data subjects the option to withdraw their consent? Pay attention, as requesting consent together with other matters like general terms is considered invalid. Withdrawing consent should be as easy as giving it, so that is another aspect you might need to work on. Failure to comply with this part of the regulation will subject you to the highest fines – up to 20 million dollars, or 4% of the annual turnover, whichever is higher. Do not forget children, as in their case, if they are younger than 16, you’ll need parental consent to process data.
How do you protect the data?
Once all of the above are in place, you need to start thinking about Data Protection by Design and by Default. Perform a Data Protection Impact Assessment (DPIA) before you start processing the data. Make sure you are prepared in the case of a data breach. Is the personal data you process and/or store secured? Think encryption, pseudonymization, tokenization. Even anonymization – when possible should be taken into consideration. You do not need the newest, fanciest method. You need to assess what best suits your needs depending on factors like your budget and the type of data you use – for example, sensitive data will need the highest level of security possible.
Do you need a DPO?
Last but not least, decide whether you need a Data Protection Officer (DPO) or not. The main conditions for a mandatory DPO can be found here. If you are still unsure, it is best to appoint one to avoid unnecessary fines.
Implementing the General Data Protection Regulation is not a process that can be done overnight. You’ll need to carefully plan your steps, make sure you don’t omit anything in order to get started on GDPR. From employee awareness to security by design and by default and respecting data subjects’ rights, they all are equally important steps towards compliance.