Top three issues to consider to be GDPR compliant
Becoming GDPR compliant can be overwhelming. In this section, we describe the three primary actions to take before anything else.
The General Data Protection Regulation (GDPR) is a European law that, on the one hand, protects the privacy of European citizens and on the other creates awareness in the processing of personal data.
Although one of the main purposes of the GDPR is to harmonize data protection laws across the EU, there are a number of areas in which the GDPR (the so-called opening clauses) that give Member States the opportunity to introduce their own national data protection laws, and further specify the application of the GDPR. The UK with the Data Protection Act 2018 (DPA2018) and Germany with the Bundesdatenschutzgesetz (BDSG) have been the first among the European countries to implement such provisions to supplement the GDPR.
The number of administrative tasks that arise from the GDPR is high, your organization is still resisting, and you want to have everything done as soon as possible. After all, business operations should have been GDPR compliant since 25 May 2018.
The following information describes the first three steps any wise CISO or DPO should take immediately.
GDPR is about awareness
The legislation requires that organizations think about the processing (collecting, processing, and storing) of personal data. Whether this is about the data of clients, leads, or employees, it makes no difference. In each of these cases, personal data is involved.
The GDPR greatly values the limitation of the amount of personal data and the mapping of risks. Other important themes are the measures to prevent data leaks, proving that these measures are effective, and the limitation of damage(s). Incorrect actions and concealing incidents can lead to severe penalties.
“The GDPR’s purpose is to create awareness of how to deal with personal data securely. This purpose also becomes evident from the fact that the legislation imposes higher fines for failing to report a data leak, than for the actual data leak itself.” - Erick van Veghel, CISO.
How do you get started with GDPR compliance?
Start with composing the right team. Organizations these days usually save their data digitally. Different systems and applications share these data between them. It is recommended that a team is formed to set up and monitor GDPR related activities. In an ideal situation, the core team consists of a legal expert, a privacy expert, and an IT expert. Together, they can involve the responsible managers and specialists per department.
1. Develop an understanding of GDPR
Lawyers specialized in the GDPR advise starting mapping the current data streams. Because these can be numerous, it is best to start with the most important or the most sensitive data streams. Questions you should ask are:
- What data is gathered where?
- Where and how is this data stored?
- Who receives or has access to this data?
A comprehensive overview of these processes will help you gain insight into your organization’s infrastructure and systems.
2. Determine the impact of GDPR on your organisation
As soon as you have mapped the data streams, you will compare them to the GDPR using gap analysis. This means looking at the current situation and compare it to the desired one. What follows is a series of measures that are required to fill the (analyzed) gaps. In some cases, you can update already existing policies. In others, you will have to draft new rules. It is wise, although not always mandatory, to do so based on a register.
Keep a record of data processing
If you work in an organization with 250 employees or more, you are required to keep an internal log in which you describe all processing of personal data. Organizations with less than 250 employees only have to keep such a record if:
- Risky processing takes place, such as automatic profiling for targeted marketing or an automated alteration to a health insurance plan
- An organization processing sensitive personal data, such as medical data
- An organization that processes vast amounts of data
If you draft the record of data processing according to the guidelines, you instantly meet the recording obligation of the GDPR. No fixed format has been formulated for the record, so you can decide for yourself whether to keep it in a spreadsheet or specialized software, for example. The contents of the document, however, are bound by rules. Our GDPR-compliance checklist explains this in more detail. Obviously, the information in the register has to be up to date and complete.
3. Draft and maintain a data protection policy
The record of data processing provides insight into processed personal data. It obliges you to at least think about which personal data you store, with what purpose, for how long, and how you secure them. This lays a foundation for drafting a policy or an additional plan. The GDPR legislation requires that privacy is taken very seriously and for organizations to consider which data to collect, store, and why. The principle of ‘data minimization’ applies here, meaning we only store the data we need, for a minimum storage time. This is the exact opposite of how organizations currently work, as they want to ‘store data for as long as possible because you never know when it might be useful.’ As a consequence of this mindset, many companies view privacy as a burden. This can be considered indicative of how we started to ‘over-collect’ personal data, to which the GDPR is the remedial measure.
- The identity and contact details of the party responsible for the data. In most cases, this will be your company. If a privacy officer has been appointed, their contact details have to be included as well
- The purpose of the data processing and its legal basis
- The recipients (third parties) of the data. If they are located outside of the European Economic Area (EEA): what additional security measures have been taken to make sure that transfer outside the EEA is allowed?
- The storage time of personal data
- Information about the rights of the involved parties, including:
- The right of limitation, access, correction, and deletion of data
- The right to data portability, such as being able to transport data from one organization to another
- The possibility to revoke the consent for data processing, for example through an opt-out option in an email
- The ability to make a complaint to the authorities
- The ability to object against profiling
Now that you have a better idea of the task at hand, it's time to take action.