If you were a DPA (Data Protection Act) compliant, it is most probably that you do not need to worry about if there are many things to do to be GDPR compliant. However, if you have just established your business or want to know how to be compliant with the new regulation, keep reading and find out what do you need to do to make sure you are doing it in the right way.
There are several steps that you should pass to the GDPR Compliant point.
1. Make a Data Flow Map
– Doesn’t matter if you have just started your business or you have been trading for a long time before GDPR came into force, the first thing to be done is to map the data that travel through your organization. In order to do it, you need to ask yourself: What data do you collect? What is the purpose of collecting it? For how long it should be kept? Where do you store it? Where does that information come from? What is the lawful basis to process the data?
If you know all the answers to these questions, it would be easy to map the data flow. However, you could think through some of the answers and make sure that all the data you have been collecting are needed, or maybe you can store it for a shorter time and make them less identifiable.
To be sure that you effectively mapped all of the data, you need to identify:
- Type of data
- The format in which it is stored
- Transfer method
- Location of the data
- The person that is accountable for the data
- Accessibility of the data
Also, do not forget about third parties that you cooperate with. They also need to be GDPR compliant since both of you bear the responsibility for data protection.
Procedures are essential to make your organization operate in accordance with the new regulation. Here is the list of mandatory documents:
- Data protection policy
- Training policy
- Information security policy
- DPIA procedure
- Retention of records procedure
- Subject access request form and procedure
- Privacy procedure
- International data transfer procedure
- Data portability procedure
- DPO job description
- Complaints procedure
- Audit checklist for compliance
- Privacy notice
There are some other documents that are required under a specific condition. Check if some of these apply to your business:
· Data Protection Officer Job Description. Having a Data Protection Officer is mandatory if your company is a public authority or body, except for courts acting in their judicial capacity; or the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or the core activities process on a large scale special categories of data and personal data relating to criminal convictions and offenses.
· Inventory of Processing Activities – this document is mandatory if the company has more than 250 employees, or the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects, or the processing is not occasional and it includes special categories of data; or the processing includes personal data relating to criminal convictions and offenses.
· Standard Contractual Clauses for the Transfer of Personal Data to Controllers and
· Standard Contractual Clauses for the Transfer of Personal Data to Processors – These two documents are mandatory if you are transferring personal data to a processor outside the European Economic Area and you are relying on model clauses as your lawful grounds for cross-border data transfers.
So, internal policy documentation is very important when it comes to treating data subjects fairly, but it becomes more important if you want to avoid fines that the regulation stipulates.
Foundation of GDPR is transparency and you are obliged to show to your users, in an understandable way, what data you collect and what is the purpose of it. They should already know this from the moment they gave the consent, so be careful, something changed about that.
The Consent must be freely given, unambiguous and involve a clear affirmative action. The new regulation gives the user more control over its data, so you need to ensure that the person has an option whether to accept or refuse consent without detriment. Also, a person must be able to withdraw consent easily at any time. Pre-ticked opt-inboxes are specifically banned.
3. Choose the right technique to protect Data
There are many provisions of GDPR that highlight that data must be stored in a safe way. Here are techniques to fulfill that obligation and protect data:
- Risk Assessments – is the process that allows you to identify hazards and risk factors that have the potential to cause harm. The riskier the data, the more protection it has to be afforded.
- Backups. It is a method of preventing data loss that can often occur either due to user error or technical malfunction
- Encryption- It is the process of converting information or data into code, especially to prevent unauthorized access. In the GDPR it is explicitly mentioned as one of the techniques.
- Pseudonymisation- Also mentioned in the GDPR, it is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms
- Access Controls- provide the essential services of authorization, identification and authentication, access approval, and accountability
- Destruction- The data is being protected this way against unauthorized recovery and access. It is important for the time when data is not needed anymore or a person wants to practice his or her “Right to be forgotten”.
4. Train your people
As people stand as the core of a business, all procedures wouldn’t make sense if you do not train your employees well. There are numbers of benefits that your company will have such as better trust of customers, staff will be more motivated to get involved and, finally, it makes things easier and reduces data breaches. It is very important for each of your employees to understand how they contribute to complying with the GDPR. There are numbers of expert organizations that can help you in preparing your team for the challenges.
5. Obligations and responsibilities
Finally, you need to know of all your obligations and responsibilities under GDPR, depending on if you are considered as a Controller or a Processor.
Also, you can check what other vendors are doing, as well as competitor’s websites for changes and best practices. Don’t forget that GDPR compliance is not a one-time thing to do, so continue working on operational policies, procedures, and processes.