Dedicated to providing the latest
HIPAA compliance news

“To-do list” for GDPR Compliance

Share this article on:

The goal of this short piece is to provide a checklist for companies or businesses who are concerned with GDPR compliance. This list should permit such entities to take initial steps in order to comply with GDPR. Please note that this is not intended to be a comprehensive guide, more so a few “rules of thumb” to take into account in order to get started.

Preparing for GDPR

Although the impact of the General Data Protection Regulation (GDPR) has been largely known since it was agreed upon in 2016, it seems that few organisations are ready for it. According to ‘Spice Works’, just one year before the implementation date of the 25th May 2018, only 2% of Information Technology professionals surveyed throughout the European Union believed that their company or business was properly prepared for GDPR. A similar figure applied to IT professionals in the USA, and the figure for their UK counterparts was only marginally higher, at 5%. Simply put, this statistic is a cause for concern given that correct compliance is a necessity for companies which wish to avoid fines and other penalties.

In order to comply with the GDPR, companies should begin by ensuring that the following actions are taken:

Inform yourself about the GDPR

The majority of business people possess some knowledge about the GDPR. The most obvious thing about the GDPR is that it will replace the Data Protective Directive (DPD). The difference between an EU Regulation and an EU directive means that the new law should improve the level of uniformity concerning how personal data is managed across the entire European Union.

Under the GDPR, individuals will possess greater control over how their personal data is to be used. This is applicable to every person who resides within one of the member states of the European Union. They retain the right to access the data, the right to have data corrected in case of data together with the right to have the data erased (save for a small number of specific circumstances). It is important to note that companies throughout the entire world will be impacted by GDPR, and not only those based within the EU. Any organisation which processes the personal data of individuals who live in a European Union member state are obliged to respect the new regulation.

Companies must ensure that their employees are briefed on this information, and receive training on how the GDPR functions and its impact on the way the company will henceforth deal with data.

Perform an audit of stored data

As soon a company is aware of what is needed in order to comply with the GDPR, it must carry out an audit of the personal data that it presently holds. It should take the following into account:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is retention of the data still necessary?

Perhaps the key thing to consider is whether or not it is at all necessary to still retain the data. The GDPR states that data should be used only for the purpose it was originally obtained for. Should that purpose no longer exist, the data should be deleted or destroyed, save in circumstances where there is a legally sound reason to retain it. As a general rule, it is worth noting that the less data any particular company holds, the less significant the impact of any data breach or misuse is likely to be.

Pinpoint risks

Any high risk data or activities should be identified. In order to do so, it is advisable that Data Protection Impact Assessments (DPIAs) be used. As soon as risks have been identified, steps to mitigate against them need to be taken. If, on the available evidence, it seems as that mitigation is impossible, a the relevant Data Protection Authority (DPA) should be consulted in order to discuss how to best keep and process the data. This type of discussion, is should be noted, is anticipated to be relatively rare. That said, if circumstances arise whereby it appears that no mitigation is possible, a company is obliged to contact the authority to discuss the issue in order to be compliant with the GDPR.

Put GDPR compliance policies and procedures in place

Any company which wishes to comply with the GDPR needs to be able to answer the following:

  • What type of data is held?
  • In what location is the data held?
  • Who is in charge of managing the data?
  • For what purpose is the data used?
  • Is the data still relevant and is retention of it still necessary?
  • What security measures are is place to protect the data?
  • Can the data be accessed and furnished to the individual concerned should they make a System Access Request (SAR)?

Significantly, every company must also be able to demonstrate that is possesses all of this knowledge. In order to do so it is essential processes and procedures be put in place.

Keep a record of all compliance processes

As noted above, companies are required to demonstrate that they are GDPR compliant. For this reason it is essential to accurately document each process and procedure. A company which is revealed to be non compliant may be faced with a fine of up to €20 million, or 4% of its annual turnover (whichever is greater). In all probability the DPA will initially concentrate on addressing issues with companies which are obviously non-compliant, it is still extremely important for every company to have its own processes, procedures and documentation in place.

Prepare for the risk of data breaches

As soon as the GDPR has been introduced, it will become obligatory for every data breach to be reported to the relevant authority within 72 hours. It is for this reason that it is essential that each company has its own procedures in place for dealing with data breaches if and when they occur. Aside from failing to comply with the GDPR and therefore exposing the company to a costly fine, a lack of contingency plans might also lead to a damaged reputation. This could prove to be even more costly in the long term, should it have a significant impact on custom.

Employ an in-house Data Protection Officer (DPO)

Following activation of the GDPR, any business or organisation which monitors the personal data of individuals (including IP addresses) on a significant scale will be obliged to engage the services of a DPO, in either an internal capacity or by means of an external provider. This also applies where companies process voluminous amounts of special category data, e.g. genetic data or criminal information. Public bodies which deal with the personal data of individuals will also need to have a DPO in place.

It is very probable that, initially, there will be a lack of qualified Data Protection Officers available. That said, there is no clear definition of what qualifications a DPO is required to hold. What is necessary, however, is that a DPO be fully acquainted with what the GDPR covers, and its impact upon the business. Furthermore, they must be able to initiate and oversee the running of data protection systems and processes. It is feasible for a company to internally recruit an existing staff member as its DPO provided that they possess the skill set required, and have received sufficient training in every aspect of the GDPR.

Development of monitoring and reporting processes

As soon as it has ensured that GDPR compliance systems are in place, a company must also develop processes of monitoring and performance. This is so that, firstly, each company is capable of checking at any time that its processes are functioning and fully GDPR compliant. And, secondly, because every company must be able to demonstrate that it is compliant in the event that it be audited by the relevant Data Protection Authority. A company can demonstrate that it is compliant only if everything it does concerning data management and protection is accurately documented. Furthermore, it will need to be able to show that a functional checking regime is in place.

The importance of being prepared

As noted above DPAs will be able to impose a variety of fines for non-compliance with the GDPR. The precise amount of the various fines, aside from the maximum in each category, remains undefined. It appears that DPAs will have some flexibility when it comes to making decisions about this matter. The imposition of other sanctions will also be subject to a certain amount of leeway. What those other available sanctions will be has not yet been defined.

Despite the fact that DPAs will possess some leeway in their imposition of sanctions and fines, it is anticipated that they will discuss these questions with each other so that a level of uniformity is achieved.

Step one for any company should be to make itself aware of the scope of the GDPR. A large number of companies which operate worldwide appear to think that the GDPR does not affect them in any way. If, however, they have any role in the processing of the data of people who live within the European Union, they might be in for quite a shock. This does not only apply to data that has been received directly from the subject; it could also apply to data that was received from a 3rd party. Being informed about the GDPR, and its consequences for them, is a company’s essential first step on the way to compliance.

After that initial step has been taken, it is then a matter of assessing present data and practices, and ensuring that any data being held is being done so in compliance with the GDPR. Companies must also enact processes and procedures in order to ensure that continuing data collection and management is GDPR compliant. The management of data must also be monitored and reported on. Risks must be identified and mitigated against. While companies should do everything within their capabilities to guarantee the security of data, they should also be ready to report any breaches of data within 72 hours of occurrence. In order to avoid the potential penalties under the GDPR and to protect their good reputations, companies should ensure that all of the above is in place by the 25th May 2018.

Author: GDPR News

Share This Post On