Even if you found out the GDPR will apply to you from 25 May 2018, when it enters into force, you don’t have to worry. It’s all a matter of simple preparation – the better you do before it rolls out, the better your chances of having nothing to worry about. Now, nobody said this will be trivially easy to do, but it’s not that big of a deal either.
From our experience, we found out that small companies are having the hardest time complying with the basics of the GDPR. The reasons are very much practical – they simply don’t have time, money now know-how to do better, no matter how hard they try. But things don’t have to be as bad as they are now.
Analyse and Research
The first part of getting things right for the GDPR is laying down the basics. Study the key provisions of the GDPR and try to think about the changes you will have to make. Consult your local laws, too, as they may sometimes be applicable as well.
Then, make note of practices you have identified as possibly not in line with the GDPR. These are the activities you will have to closely watch as you advance in your compliance efforts.
Map and Secure
Mapping your data is also a very important requirement of the GDPR. You have to be able to account for your data at all times. That means knowing where the personal data is stored exactly, how many copies there are, what your plans with the data are, and finally, when you will delete the data.
If you meet the above checklist, you can be reasonably sure the data won’t get used maliciously. Plus, it will be easy to answer personal data requests if you know where you store your data.
Additionally, security is also paramount. Make sure to encrypt and anonymise your data for maximum protection. Consider using access controls and make strong passwords mandatory.
DPIAs help you determine both the risks and positive consequences of your envisioned processing actions, thus helping you decide whether carrying out the processing is a good idea. Data Protection Officers can help you conduct a DPIA.
Consent – Revised
Processing of personal data will now require a more informed level of consent from individuals. You will have to explicitly inform individuals of your plans to use their personal data. The notices must be served at the time of obtaining data, and they must be written in simple, understandable language. Consent (ticking the box or similar) must be explicit – no pre-ticked boxes are allowed anymore!
Keep all records of your data processing. This isn’t a requirement if your company has less than 250 employees, but good records are the key towards proving compliance with the GDPR to the authorities.