In the first blog of this series we talked about the Top four GDPR buzz-words you need to know. We promised to get back to you on the 3 key steps to comply with the regulation.
Before diving into the first one, let us set the scene by summing up the 3 steps we are talking about:
- Managing Information: know what types of data your company holds;
- Managing Risks: proactively list, assess and address your company’s GDPR related risks;
- Governance and Privacy by Design: implement cross functional systems to protect and properly manage your data to ensure that data are protected and only used for the purpose they were intended to.
CDI-Partners helped us to summarize the GDPR principles below:
1. managing information
a. Personal Data Inventory
The first step is to screen, map and document the data you hold, where this data comes from and with whom you share it. Identify where you store your data, who can access these data and all related risks. This analysis allows you to clean up your data, if they are not relevant or without any benefit for your organization. GDPR encourages a more disciplined treatment of personal data. Data can only be collected for specific, necessary and relevant purposes.
One more thing: when we talk about data, most people are biased to think of data in databases, as structured data. GDPR addresses all data, so also unstructured data stored in documents, emails, document management systems such as Alfresco, (printed) lists and anything else that may contain personal data! So, when you screen your company data for personal data, think of it in a broad sense.
b. Privacy Notices Process
Personal data must be processed fairly and lawfully. When you collect personal data, you will have to give people specific information, such as your identity and how you intend to use their information. Being transparent by providing a privacy notice is an important part of fair processing.
c. Consent Mechanism
You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service;
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods;
- Granular: give granular options to consent separately to different types of processing wherever appropriate;
- Named: name your organization and any third parties who will be relying on consent – even precisely defined categories of third-party organizations will not be acceptable under the GDPR;
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented;
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Well, the above 3 steps aren’t hard to explain neither to grasp, but putting it into practice can be a hell of job to achieve. Therefore, a risk driven approach is highly recommended to chunk the workload and keep focus. Curious how to tackle your risks? Let's walk through the next step: managing risks.
2. managing risks
Controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
a. Risk Management
The second step is to apply security from internal and external risks. From risk management standpoint you can adopt different approaches to reduce the risks:
- Minimize data footprint and encrypt data held;
- Mitigate the security risk by implementing strong access control on online application, keeping records of all personal data, testing and monitoring;
- Register the risks and insure your system for any residual risks.
b. Data Breaches
The GDPR will introduce a duty on all organizations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected. A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it.
3. governance and privacy by design
The GDPR makes privacy by design an explicit legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs.
DPIA is an approach to help organizations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. It also emphasizes the importance of embracing privacy and data protection as a key consideration in the early stages of all projects, and throughout its lifecycle. For example, when:
- Building new IT systems for storing or accessing personal data;
- Developing legislation, policy or strategies that have privacy implications;
- Embarking on a data sharing initiative; or
- Using data for new purposes.
The adoption of this approach can help your organization in reducing privacy risks and building awareness and trust, across all departments, from Finance to Marketing to HR.
So, these 3 steps will bring you on the right track to GDPR compliance. By now, you can imagine what is needed, if you want to read more or want to find out how Xenit can help to get a solid GDPR grip on your data, read more on Xenit GDPR.