This article sums up the main steps you have to follow to make your organization GDPR compliant. If you are looking for more details, please find at the bottom of this page a link to the complete official General Data Protection Regulation.
1) You have to make sure that the people working with personal data are aware of the new regulation. Therefore, possible methodologies are: internal newsletter, publication on the intranet, internal meeting.
2) Regarding the GDPR, if you are working with personal data, you have to keep updated a record of processing activities which indicates what data you are actually working with, why you are working with this data, what’s the source, are these data going to end up outside of the EU, and what is the conservation period. This record of processing activities will be under your responsibility.
3) The controller and the processor should name a data protection officer if:
- The processing of data is carried out by a public authority or body
- The core activities of the controller or the processor consist of processing operations which require regular or systematic monitoring of data subject on a large scale.
- The kind of data that is processed is related to any of the categories mentioned in Art. 9 of the GDPR, or if the data refers to criminal convictions and offences as mentioned in Art. 10.
4) Privacy by default and privacy by design You also will have to respect the ‘data minimization’ principle, which indicates that it should not be processed more data than necessary. In the two new legal obligations, privacy by default and privacy by design, data minimization will play an important part. Privacy by default means that you should set the default settings of a product or service as ‘privacy-friendly’. As for ‘privacy by design’, it means that you will have to protect the data subject’s privacy by anonymizing and pseudonymising data as much as possible.
5) If you leave the processing of your data to a website builder or to a marketing agency, you will have to enter into a processor agreement. This is an already existing protocol, which will be completed by additional mandatory components. The processor agreement will state, among others, that the data you process is sufficiently protected, that the permission is requested for the switching on of a subprocessor and that the processor only acts in accordance with the instructions of the controller.
6) Individuals will now be able to have more control over their data, via the right to data portability (transmission to the data from one organization to another) or the right to be forgotten. Therefore, you should set up procedures to allow data subjects to use their rights, to make things easier and simpler for them. Moreover, if a controller has made some personal data public, it should take reasonable steps, to inform controllers which are processing the personal data of the data subject’s request. For more information, refer to Art. 17 of the GDPR.
7) Set up a Privacy Impact Assessment (PIA) A PIA is used to assess the impact of a specific processing of personal data on the privacy of the people involved. This assessment should specify what data is processed, for which purpose, along with the impact of the operation. Moreover, you will have to assess the necessity and the proportionality of the processing, including an assessment of the risks (to the rights and freedom of natural persons) for the individuals and of any safeguards or measures to reduce the impact on privacy.
8) Indicate where is permission requested for the processing of personal data inside of your organization and check whether this is in accordance with the requirements of the GDPR. You must be able to prove that permission was granted for the processing of data, but also when, why and how this permission was granted. Also, notice that permission withdrawal must be as simple as permission authorization. “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” as indicated Art. 7 of the GDPR.
9) Establish a data security policy that must be constantly reviewed and improved. It should include the following components: Strong passwords (sufficient length and a mix of character types), controled access (who can access the data). Logging of actions concerning personal data (Who is logged in and what actions are processed). Physical measures for access security. Encryption of files with personal data. Random monitoring of compliance with the policy frequency. Backups and management of copies. Security of network connections.