For those looking to implement GDPR ahead of time, here's a quick round up of the steps you should be looking to take.
With the regulation only going into force 25 May 2018, there’s still time time to implement GDPR. Below are ten practical steps to help your company become compliant.
1. Set up a data protection compliance team ASAP; appoint a DPO, if needed, or a person in charge of data privacy
Entities who regularly and systematically monitor data subjects or sensitive data on a large scale must appoint a Data Protection Officer (DPO). Germany-based companies will also continue to require a DPO for companies with at least ten employees.
Appointing a person responsible for data protection compliance is recommended. That person, like a DPO, should have the knowledge, support and authority to carry out changes needed to implement GDPR and meet its requirements. They should be assisted by a team composed of IT, HR and external advisors. This person can also raise awareness on the impact of the GDPR.
2. Map data processing in data register
Companies will no longer need to submit filings with data protection authorities (DPA). Data controllers are, however, accountable and must be able to show they have compliant policies and procedures, particularly since penalties are enhanced (fine of up to €20m or four per cent of worldwide turnover).
It is therefore advisable to document the data a company holds, which will help assess what actions and changes need to be taken. This should take several weeks. Ask yourself:
- Who holds / manages the data? Data controllers, persons or departments responsible, data processors, service providers;
- What data? Categories of data controlled and processed, potential sensitive data, data about children (the GDPR requires parental or guardian consent to collect such data);
- Why? Purpose of data processing (marketing purposes, HR management, etc.);
- Where? Location of the servers, data flows (outside the EU?);
- Until when? Data retention period.
This information should be included in the data register.
3. Assess gap / new requirements
With this data map, companies may assess what documents and procedures need to be amended or implemented and start building an action plan in order to comply with GDPR requirements.
4. Formulate an action plan
Your action plan to implement GDPR should include the following:
- Make sure only data that is strictly necessary is kept;
- Identify a legal basis for each collection (consent, legitimate interest, contract, legal obligations);
- Review information requirements of data subjects;
- Consider how they may exercise their rights (access, rectification, portability, erasure);
- Make sure data processors are aware of new data obligations;
- Check security measures, which need to be adapted to each company’s needs.
5. Map and manage risks
Companies whose activities involve high risks against the rights and freedoms of individuals (large scale processing, sensitive data or profiling) must implement Privacy Impact Assessments (PIAs). PIAs will assess the processing need, and the proportionality of the risks with protection measures. Mapping risks will help assess whether a PIA will be required.
6. Review data subject information and consent notices
Existing privacy notices need to be updated. New notices must explain the legal basis for data processing, disclose retention periods, and state that individuals may complain to the DPA if they believe there is a problem with the way the company handles their data. This information must be provided in concise, easy to understand and clear language.
7. Implement internal processes to handle data subject requests
Under the GDPR, data subjects will have enhanced rights and may request to:
- Access their data;
- Have inaccuracies corrected;
- Have information erased (right to be forgotten);
- Benefit from data portability: this new right requires companies to electronically provide and in a commonly used format the data of individuals who request it.
Companies should check if internal procedures cover all these rights, including how to handle such requests.
8. Renegotiate / review contracts
To implement GDPR, companies should ensure data processing agreements refer to processor’s new liability obligations and contain an obligation for processor to notify data controller in the event of a data breach.
9. Make sure you’ve got data breach response plans in place
Companies need to notify data breaches to the relevant DPA within 72 hours and to affected individuals if the breach impacts their rights and freedoms. Companies must make sure there are breach response plans to detect, report and investigate data breaches.
10. Address the issue of international data transfers
Companies which transfer data outside the EU will continue to need having protective safeguards in place. In countries which do not provide for an adequate level of protection under the GDPR, companies must use methods such as Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules, consent or codes of conduct. Existing safeguards may need to be updated or implemented.
If a company operates internationally, it must also determine which DPA has primary jurisdiction.