Your 10 essentail GDPR requirements - Part 2

26/04/2019
Author Avatar
Geert Van de Steen
Chief Information Security Officer , EASI

The authorities are getting up to speed in handling compliants and breaches, and yes, they do impose fines. Here is your checklist, in simple wording, what it takes to make you as compliant as possible to the GDPR regulation.

Thanks for picking up after part 1. If you missed it, you can have a quick look here. In this article i'll discuss the next five important checks. 

Privacy by Design

Companies should have mechanisms to protect personal data in the design of new systems and processes. Privacy and protection aspects should be considered by default.

So, if your company creates a web page where users can subscribe to receive newsletters, it is wise to also foresee an opt-out button. Ready to install a new HR-application? Well, just make sure the application supports different levels of authority to protect your personal data.

Data Protection impact Assessment

To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. The Data Protection Impact Assessment is a procedure that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed

For sure, a DPIA is mandatory if you process personal data of special categories or data relating to criminal convictions and offenses. This sounds fuzzy to you? Well, EASI can help, just let us know.

Data transfers

The controller of personal data (= also known as you) has the accountability to ensure that personal data is protected even if the processing is done by a third party. So, organizations have the obligation to ensure the protection and privacy of personal data when this data is transferred outside the company. How can you do this? Well, a good start is to create Data Processor Agreements with all of your processors. 

What if you transfer personal data out of the EU? Hmm... Well, if you transfer personal data to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay or the United States of America (limited to the Privacy Shield framework) then there is no problem. For the latest list of adequately protected countries, please visit this link

If you transfer personal data to countries not mentioned above, extra adequate guaranties are necessary before the transfer can take place.

Data Protection Officer

The Data Protection Officer has the responsibility of advising the company about compliance wit the GDPR requirements. A question often asked is "Do I really need a Data Protection Officer?" Well, it depends... Here are the cases when a Data Protection Officer is mandatory:

Most of these terms are rather vague (Regular, systematic, large scale, main activity,...), but all of this is explained in an article created by the European Data Protection Board: "Regular and Systematic Monitoring

Awareness and training

An organization should create awareness training regarding the protection of personal data among its employees. Depending on the nature of the personal data that is processed, or the risks of data breaches, the awareness training program can be extensive or not. Basically, the employees should be informed about what they need to know and how to carry out the organization's GDPR obligations. Keep it simple, to the point and repeat this training on a regular bases.  And hey, don't forget to train your new employees.

Whitepaper: Reducing online vulnerabilities.

 

Current job openings

Get our top stories in your inbox every month

Follow us

  

Share this article