GDPR is not a one-time process so after the fulfillment of required obligations, there are other things to watch out for.
1. Consent- is the essence of entire GDPR. Since processing of personal data is generally prohibited, consent must be freely given and specific, informed and unambiguous. In order to consent be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations. It is important to let users know how to withdraw the consent. They need to give active consent and they have the “Right to Erasure”- i.e.the information to be forgotten.
2. Third parties- The company (data controller) and the third party (data processor) are equally responsible for compliance with GDPR. There is a potential risk that this will influent international partnerships. So, it is not enough if the company complied with GDPR, they need to make sure that the third party also did it. The company is legally responsible for acts performed by the processor.
3. Dealing with data breaches- It is essential to learn how to deal with it. Improving risk management and emergency management are highly recommended. Unfortunately, breaching data doesn’t happen rarely, so companies need to be well prepared.
4. Data Protection Offices- In accordance with GDPR, not every controller needs to have a DPO. But, it is highly recommended to designate one in order to avoid the risks that organizations face when processing personal data. It is very important that DPO is independent, an expert in data protection, adequately resourced, and report to the highest management level.
5. User’s rights- To be familiar with tools users must have in order to have control over his/her data. It is important to be aware of all user’s rights, especially those that “make problems” (such as “Right to erasure” and what changes it brings to the company).