« WITH ONE YEAR TO GO, A NUMBER OF BUSINESSES ADMIT THEY WON’T BE READY FOR GDPR »

Tyrone Stewart

Earlier this year, we published an article explaining GDPR in a nutshell.

We set the importance of it and what risks will Companies face by 2018.

Here is a reminder checklist of all the requirements to implement in your company to be compliant.

First let’s understand who are the main actors:

• Data subject: It is the customer, employee or user. The person who entrusted you with their personal data.
• Data controller:  Your company. It is the responsible party in deciding what happens to the data.
• Data processor: It is the entity that handles personal data and is mandated by data controller.

– Accountability & Data protection: It is important for all companies to raise awareness to Privacy issues to match privacy compliance into the mindset of the employees.

For that, companies need to set a privacy governance mode, put in a place a DPO or a local representative in case the company is not located in EU. Training employees is a major requirement to implement. Also make sure to check your insurance coverage.

As a controller, you’re responsible for the data you hold. This means that you need to take steps to protect it and can demonstrate them to Data Protection Authorities (DPAs).

Companies need to have a complete documentation to demonstrate compliance. For that, an implementation of a data protection policy is necessary, as well as a privacy compliance audit.

In other words, you need to secure the data your organization holds. This can sometimes translate into military grade encryption but can also involve tutoring your employees on data handling best practices.

– Processors & Consent: Systems must be able to handle removal requests.

Consent is one of the fundamental aspects of the GDPR. Companies will now need to obtain consent from their customers for every usage of their Personal data.

Data subjects must also be able to withdraw consent at any time.

– Notices: Notices for HR and Customers must be clear, concise, informative and GDPR compliant.

In case of criminal records check up, the company must get an approval by the law.

Does your company have privacy notices? Are you processing any sensitive personal data? Are the requirements for GDPR satisfied? You must make sure systems accommodate withdrawal requests.

– Data subject rights and procedure: The GDPR also grants an enhanced set of fundamental rights to data subjects. These include:

1. Right to be forgotten (or right to erasure) — subjects can request for their data to be erased when it’s no longer necessary for their original purpose.
2. Access & rectification— subjects must also be able to access their personal data and modify it.
3. Portability— controllers need to provide all personal data they have on a subject when requested, in a portable and readable format.

These must be clearly mentioned in the notices given to data subjects.  For that, companies must update privacy policy and internal processes, and ensure technical and operational processes are in place to ensure this data portability.

– Record of processing: record of processing activities, description of categories of data, security measures…

You must identify all data processed in a detailed record of processing.

– Privacy and design: Data protection requirements to be considered when new technologies are designed or on boarded. This means that security must be built into products and processes from day one. Companies must then put in place a privacy impact assessment protocol, ensure processes are in place to embed privacy by design into project.

– Contracting and procurement: Customer agreement and third party vendor agreements will need to be updated to ensure they reflect the new GDPR requirements and flow down obligations which must be complied with by parties processing European personal data on your behalf.

Companies must ensure procurement process has controls to ensure privacy by design.

– Personal data breach: Data breach notification regime. Act quickly (within 72 hours), mitigate losses and do not forget notifications to regulators and affected data subjects.

– Data export: Transfer is only allowed to countries with the same level of protection, outside E.U. This is why companies must identify all cross-border data flows and review data export mechanisms.

To conclude, you must:

• Check how your company is storing personal data and ensure that the methods being used are protected.
• Adapt your customer touchpoints to support subject’s rights, such as data portability.
• Make sure everyone who handles personal data within your organization understands what these changes mean.
• Choose the entities you share your users’ personal data carefully, as a small mistake might dictate the end of your business.
• If you already rely on 3rd parties to handle personal data, verify that these are already GDPR compliant or that they will be by May 2018.