How to get ready for GDPR?
Only until 25 May 2018 will you have time to implement GDPR in your firm. Use this time wisely to avoid heavy fines. And time is scarce. Plan the next steps carefully to make sure you have enough time to take all necessary actions.
1. Increase awareness in your firm that changes are on the horizon.
Make sure that decision makers understand what the coming changes involve and what are the consequences of non-compliance with GDPR. Organize a training for heads of departments in your firm. Make them aware that the obligation to implement GDPR concerns everyone dealing daily with personal data.
2. Analyse processes which involve personal data processing.
This is the right time to carry out audit of policies, define processes which involve personal data processing in the firm, meet and talk with team leaders.
3. Verify on what legal basis you collect and process personal data.
Meet the persons who supervise the collection of respective categories of data. Pay a visit to HR, Marketing, Sales and IT director. Determine jointly what is the objective of collecting personal data, where are the data stored and who can access them.
• What kind of data does your firm process?
• Are the collected data updated?
• What is the time of data retention?
• Does your firm collect any excess data which in fact are of no use in view of business objectives?
• How the rights of individuals are addressed?
• What activities involving personal data processing will the firm undertake in the future (new processes, new IT systems)?
4. Check if you have procedures to enforce the rights of individuals?
Update or create a procedure for enforcing the right to access data, right to amend and delete data, right to refuse automatic decision making processes and profiling and the right to transfer data.
5. Procure documentary evidence for processes involving personal data processing.
This is the time to draw up policies, procedures and authorizations. The quantity of data your firm is processing will be reflected in number of processes which you will have to develop at this stage.
6. Carry out data protection impact assessment, if required.
Determine legal, organizational and IT measures that will reduce risk of breaches of personal data protection. Consult experts in this field, take notice of the supervisory authority’s guidelines.
7. Review data entrustment agreements in terms of their compliance with GDPR, amend them, if needed.
Check if the services your firm is providing require new entrustment agreements to be drafted. If so, make sure they will be signed.
8. Check if IT systems comply with GDPR requirements.
Carry out appropriate penetration tests, make sure that data stored in IT systems comply with the data protection requirements by design and by default settings.
9. When you finish, begin anew…
Remember that preparing for GDPR is a never-ending process. Now, you have to make sure that any new data will be stored in line with principles introduced by GDPR.
It is worth paying special attention to the preparation of your firm for GDPR. At stake is even a EUR 20 million fine for non-compliance with new regulations.
Download pdf version of this Newsletter here.