08 January 2018

12 Tips on GDPR

Follow the our experts' tips to get ready for GDPR before its effective date, the 25th of May.

1. Identify what data you retain:
Document what personal data you store. Identify where it came from, the reasons why you store it, and create a yes/no checklist as to whether you really need to store it.

2. Clean your house:
Declutter and get your house in order. By this I mean tidy up and remove any unused personal data that is no longer required for regulatory or historical reasons on all of your and your suppliers’ systems.

3. Create a GDPR responsibility framework:
 Create an organizational chart showing which role, or third party where applicable, is responsible for each element of GDPR.

4. Update data security policies and procedures:
One of the most important aspects of GDPR is that policies and procedures must be easily accessible and must also be easy to understand. 

5. Privacy By Design:
Personal Data protection is the main aspect every company need to deal with when designing new services. Adopt proportional measures to guarantee only necessary personal data are collected and process for each single objective.

6. Prepare for a data breach:
The regulation introduces the obligation to notify to the authority any detected data breach in the next 72 hours if it implicates any risk. Moreover the company is obliged to notify data breach to the data subject whenever the breach implicates high risk for his rights.The fines for a data breach are huge—up to 20 million euros or four percent of your global turnover.

7. Know the rights that people have and prepare to be challenged:
The data subject have different rights: a) right to access, right to receive a copy of processed data; b) right to be forgotten, right to have personal data cancelled even after the consensus annulment; c) Right to limit treatment, applicable whenever the data subject asks for data correction or denies their treatment; d) Right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. 
You are responsible for demonstrating why you store or process data and ensuring its integrity.


8. Greater liability:
As a data processor you will have significant responsibility. Data subjects will be able to take direct action not just against a data controller but also a data processor.


9. Data Protection Officer:
Organisations involved in regular and systematic monitoring or processing of sensitive data on a large scale will need to appoint a DPO.

10. Do Privacy Impact Analysis every time is needed:
Every controller needs to do, in the cases contemplated by the regulation, a Privacy Impact Analysis. This implicate the need to valuate first the impact, from privacy point of view, of every data treatment operation will be conducted.

11. Prepare and update records of processing activities: 
In cases predicted by regulation, companies have to keep record of the processing activities conducted. 
Be sure your company prepares and updates this record.

12. Be clear towards data subjects:
Article 5 says: "Personal data shall be processed lawfully fairly and in transparent manner in relation to the data subject"
Transparency is a basic building block of responsabilization of data processor


Do you need further information? Please Contact us!