The authorities are getting up to speed in handling compliants and breaches, and yes, they do impose fines. Here is your checklist, in simple wording, what it takes to make you as compliant as possible to the GDPR regulation.
Privacy by Design
Companies should have mechanisms to protect personal data in the design of new systems and processes. Privacy and protection aspects should be considered by default.
So, if your company creates a web page where users can subscribe to receive newsletters, it is wise to also foresee an opt-out button. Ready to install a new HR-application? Well, just make sure the application supports different levels of authority to protect your personal data.
Data Protection impact Assessment
To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product. The Data Protection Impact Assessment is a procedure that needs to be carried out when a significant change is introduced in the processing of personal data. This change could be a new process, or a change to an existing process that alters the way personal data is being processed
For sure, a DPIA is mandatory if you process personal data of special categories or data relating to criminal convictions and offenses. This sounds fuzzy to you? Well, EASI can help, just let us know.
The controller of personal data (= also known as you) has the accountability to ensure that personal data is protected even if the processing is done by a third party. So, organizations have the obligation to ensure the protection and privacy of personal data when this data is transferred outside the company. How can you do this? Well, a good start is to create Data Processor Agreements with all of your processors.
What if you transfer personal data out of the EU? Hmm... Well, if you transfer personal data to Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay or the United States of America (limited to the Privacy Shield framework) then there is no problem. For the latest list of adequately protected countries, please visit this link.
If you transfer personal data to countries not mentioned above, extra adequate guaranties are necessary before the transfer can take place.
Data Protection Officer
The Data Protection Officer has the responsibility of advising the company about compliance wit the GDPR requirements. A question often asked is "Do I really need a Data Protection Officer?" Well, it depends... Here are the cases when a Data Protection Officer is mandatory:
- You are a government agency or a government body or
- You process personal data of special categories or
- You process personal data of criminal convictions and criminal offenses or
- You do regular and systematic observation of data subjects on a large scale as your main activity
Most of these terms are rather vague (Regular, systematic, large scale, main activity,...), but all of this is explained in an article created by the European Data Protection Board: "Regular and Systematic Monitoring"
Awareness and training
An organization should create awareness training regarding the protection of personal data among its employees. Depending on the nature of the personal data that is processed, or the risks of data breaches, the awareness training program can be extensive or not. Basically, the employees should be informed about what they need to know and how to carry out the organization's GDPR obligations. Keep it simple, to the point and repeat this training on a regular bases. And hey, don't forget to train your new employees.