1.Determine your role under the GDPR
A data controller essentially could be any organisation that decides on why and how personal data is processed. The GDPR applies therefore not only to businesses in the EU, but also to all organisations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organisations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
2.Appointing data protection officer (DPO)
Many organisations and companies are required to appoint a data protection officer (DPO). This is vital if the organisation is a public body and is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. However, it should be pointed out that large scale does not necessarily mean hundreds of thousands of data subjects.
The DPO could be a professional, who is a hired employee, or an outsourced position. However, he/she could never be fully serving only the business’ interests, as they have specific obligations towards the Data Protection Authorities (DPAs) and must report any irregularities without delay.
3.Strong accountability in all processing activities
The answer here is simple – adequate policies and procedures in place. Why? Because only a few organisations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Therefore an adequate proceeding and policy must be put in place.
Organisations must demonstrate an accountably ground attitude and transparency in all proceedings regarding privacy matters and their processing activities. Third parties or outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes.
Probably the most important part regarding the GDPR is the fact that it requires proper data subject consent acquisition and registration. No more checked boxes and implied consent! A clear and express action is needed that requires organisations to implement streamlined techniques to obtain and document consent and consent withdrawal.
4.Data transfers around the world
Data flows to any of the 28 EU member states are somehow still allowed. There is two more categories that have no need of implementing new rules – those are Norway, Liechtenstein and Iceland. The second group refers to transfers to any of the other 11 countries the European Commission (EC) deemed to have an “adequate” level of protection are also still possible.
Outside of these states, appropriate obligations of safety matters such as binding corporate rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be placed. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place.
Outside of the EU, organisations processing personal data on EU residents should put in place an appropriate mechanism to ensure compliance with the GDPR.
5.Data subjects exercising their rights and their newly acquired rights.
Data subjects have much more and moreover – extended rights under the GDPR. These include:
- the right to be forgotten;
- data portability; and
- to be informed (for example, in the case of a data breach).
If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.
The threats of heavy fines, as well as the increasingly empowered position of individual data subjects bring the business to dangerous positions where the case could be solved if adequate policies and procedures are put in place. The business and the organisations need to seek compliance and should cause a decision that will lead to a reassessment of measures for the safe processing of personal data.