Worried about data protection? GDPR in 3 "mandatory'" steps
The deadline for the data protection regulation is right around the corner and the moment to start preparing for it was yesterday.
While experts continue to count the blessings of the initiative and look ahead with great optimism, organizations are venturing off into the unknown. With less than 3 months to go, there are still a lot of questions around the General Data Protection Regulation. According to a study conducted by Deloitte, only a small percentage (15%) of companies from EMEA believe they will be fully compliant once May 25th comes.
So, what’s there to be done?
The 3W
What is your business’s core activity and does it require regular and systematic monitoring of data subjects on a large scale? What kind of personal data does your company process?
Why do you need to process such information – are all the details needed for your core activities or can you reduce the amount of data that you collect and store?
Where do you keep data and how do you make sure it is confidential and secured?
These are the main questions each company that operates data in the EU, regardless of whether they have headquarters or even an office within the EU, must answer as soon as possible. This step will not only help organizations rethink and improve their relationships with privacy and security, but it will also help managers establish the next steps.
What do I mean? Based on how much data they gather and store and for what purpose, some companies do not have to comply with all GDPR rules as standard. For instance, companies have a lawful basis to process HR data, so explicit consent can be bypassed in this case. However, for most of them, documenting the process of collecting, processing and storing data and the amount of time for which that data is kept, is mandatory. Also, don't forget about your 3rd parties - you need to make sure they are GDPR compliant too.
In addition to these 3 questions, it is also necessary to decide who has access to this information and who is in charge of keeping it secure. Even in smaller companies that only process employees’ records, such information needs to be available only for those responsible with handling HR and not for anyone to check.
Transparency
If you’ve followed step 1 religiously, you’re half way there when it comes to transparency. Why? Because you already know what information you have and where it is. The next logical thing is to make this visible to your data subjects too. By putting them in the centre of data protection, you can allow data subjects to maintain control over their data, which is a requirement of GDPR. Such information can be provided in writing or electronically. Of course, oral communication is also possible, when requested by the data subject and when conditions allow it.
Nonetheless, this opens a new topic for debate – shall we handle this in a traditional, old fashioned way or do we need to have customized ways to communicate and share this data? I guess this is something every company can decided based on its resources (time, human, financial) and other conditions.
Data protection officer – in or out?
According to GDPR requirements, it is now mandatory to appoint a Data Protection Officer (DPO). However, even if the advantages of having someone supervising and advising the ones preparing for GDPR are undeniable, not all these persons need to be DPOs. The difference between the two roles is that the DPO is the contact person for the competent authority in the country and all data protection queries are directed to him.
DPOs are mandatory in public authorities, in companies that require regular and systematic monitoring of data subjects on a large scale and in those organizations which process ‘special categories’ of personal data and related to criminal convictions and offences.
Main duties include:
- Inform and advise the controller or the processor and their employees of their data protection obligations
- Monitor compliance, including the assignment of responsibilities.
- Provide advice when requested
- Engage with the Information Commissioner’s Office or relevant Supervisory Authority
BONUS 4: Don’t panic!
Yes, you’ve had two years to prepare for this and you’ve only decided to start now, yet there’s no need to freak out… completely :) You can still meet the deadline if you focus your entire efforts on this.
Wishing you all a totally GDPR compliance!