7 steps toward GDPR compliance
1. Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR.
They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one.
Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute.
2. Designate a driver (DPO)
The appointment of a Data Protection Officer (DPO) is mandatory in 2018 if :
you are a public organism
you are a company whose basic activity leads you to carry out a regular and systematic monitoring of large-scale people or to treat on a large scale so-called "sensitive" data or relating to criminal convictions and offenses
"Conductor" of data protection compliance within his organization, the DPO is primarily responsible for:
Inform and advise the controller or subcontractor and their employees
To monitor compliance with the Regulation and national data protection law
To advise the organization on carrying out impact studies on data protection and to verify their implementation
Cooperate with the supervisory authority and be its point of contact
3. Mapping your personal data processing
In the framework of the future regulation, the organizations must keep a complete internal documentation on their processing of personal data and ensure that these treatments comply with the new legal obligations. You so have to list precisely:
The different treatments of personal data
The categories of personal data processed
The objectives pursued by the data processing operations
The actors (internal or external) who process these data; you will have to clearly identify subcontractor service providers
Flows by indicating the origin and destination of the data, in particular to identify any data transfers outside the European Union
4. Prioritize actions
You must, for each personal data processing within your organization, identify the actions to take to comply with current and future obligations:
Make sure that only data strictly necessary for the pursuit of your goals is collected and processed
Identify the legal basis on which your processing is based (consent of the person, legitimate interest, contract, legal obligation)
Review your information to ensure compliance with the requirements of the regulation
Check that your subcontractors know their new obligations and their responsibilities, make sure there are contractual clauses reminding the obligations of the subcontractor with regard to security, confidentiality and the protection of personal data processed
Plan how to exercise the rights of the data subjects (right of access, rectification, right to portability, withdrawal of consent ...)
Check the security measures in place
5. Manage risks
The impact study on data protection allows :
To build a personal data processing or a product respectful of the private life
To appreciate the impacts on the privacy of the persons concerned
To demonstrate that the fundamental principles of the Regulation are respected
When to conduct a Data Protection Impact Assessment (PIA)?
Before collecting data and implementing the processing
any processing likely to create high risks for the rights and freedoms of natural persons
What does a Data Protection Impact Study (PIA) contain?
A description of the treatment and its purposes
An assessment of the necessity and proportionality of the treatment
An assessment of the risks to the rights and freedoms of the persons concerned
The measures envisaged to address these risks and to comply with the Regulation
6. Organize internal processes
Organizing the processes involves :
Take into account the protection of personal data from the design of an application or a treatment (minimization of the collection of data with regard to the purpose, cookies, retention periods, information statements, collection of consent, security and confidentiality of data, ensure the role and responsibility of those involved in the implementation of data processing); to do this, follow the advice of the DPO
Sensitize and organize information feedback by building a training and communication plan for your employees
Deal with the complaints and requests of data subjects for the exercise of their rights (rights of access, rectification, opposition, right to portability, withdrawal of consent) by defining the actors and the modalities (the exercise rights must be available electronically, if the data has been collected by this means)
Anticipate data breaches by providing, in some cases, notification to the data protection authority within 72 hours and to the data subjects as soon as possible
7. Document compliance
In order to prove your compliance, you must establish a documentary record to demonstrate that the processing of personal data complies with the regulations. Your file must include the following elements :
Documentation about your personal data processing :
The processing register (for processing managers) or the processing activity categories (for subcontractors)
Data Protection Impact Assessments (PIA, see step 4 here-above) for processing that may pose a high risk to the rights and freedoms of individuals
The framework for data transfers outside the European Union (in particular standard contractual clauses or BCRs)
Information of people:
The information mentions
The models for obtaining the consent of the persons concerned
The procedures put in place for the exercise of the rights of individuals
Contracts defining the roles and responsibilities of the actors :
Contracts with subcontractors
Internal procedures for data breaches
Evidence that data subjects have given consent when the processing of their data is based on this basis