Updated: Apr 13, 2020
Some organizations are still trying to put their best foot forward and maintain compliance with GDPR. While it may seem like reading the whole 99 articles of the regulation may seem like the key to getting your company through, it can often leave you more puzzled than ever.
Below are a few notes and tips on for companies on their way to compliance.
First and foremost is awareness. Everyone in your company should be aware of the importance of GDPR – and we mean everyone! From the top of the hierarchy down to the employees should be informed and educated about the regulation. This is especially true on your employees that are involved with the processing of personal data. Education is the key. Equip people in your organization with the “know-how’s” and “how-to’s” when it comes to GDPR.
That’s ‘how’, let us now proceed to the ‘what’ particularly, what type of data does your company process? It is important for you to know the data that your business is handling. You must determine whose data you have stored, be able to identify the place that it is stored and how it is stored and if you share this information with other companies. Also, it is also important for you to ensure that you have consent from the data subjects when using their personal data for processing. In addition, for companies who have business partners outside Europe who also get a hold of this data, they need to make sure that these partners will still be in compliance with GDPR.
The next step for you in order to be fully compliant is to always look after the right of the citizens of the EU. The main objective of the GDPR is to ensure that the rights of the data subjects, which are the citizens, are protected at all costs. Keeping that in mind would let you know that the best approach towards compliance is to always consider and acknowledge their rights every step of the way. This could also mean that you need to reboot and adjust some of your company’s policy in order to abide by the rules of the regulation. Furthermore, as data subjects have the power over their personal data, it is also important that you keep them posted and notified whenever needed as it is their right.
Consent! Consent! Consent!
Although there already was an existing regulation regarding consent, GDPR has taken it up a notch and added some more demands to ensure that the data subjects are indeed in charge of their own data. The important thing to note here is that you know how to take note that you asked for consent. It is also important for you to allow your data subjects to deny access to their personal data should they feel unsafe. You should also remember that consent must be asked on its own and not be included in the general terms otherwise the consent will be nullified. Denying consent should be as easy to data subjects as allowing it and that can be quite challenging as a lot of adjustments need to be done. Children shouldn’t also be overlooked as those who are below 16 require parental consent to have their data processed.
Now let us proceed to the guidelines in protecting the data.
As GDPR is all about data protection and security, you can start by formulating a Data Protection by Design. It is also important for you to conduct a Data Protection Impact Assessment, or also know as DPIA, before you start processing any types of data.
Is a Data Protection Officer Necessary for Compliance?
Not necessarily. Although there are conditions that require a mandatory Data Protection Officer, it isn’t always the case. If you feel confident that you could carry your company just fine and be compliant, then you are all good. BUT, If you have the slightest ounce of doubt that you might mess up, then you probably need a DPO just to be sure.
To wrap it up, compliance to GDPR cannot be achieved overnight. It needs months, or even years, of preparation and adjustments in order for an organization to confidently say that they are 100% compliant with the regulation which is why this should be approached carefully. Baby steps are very welcome and consider every aspect that you will bump into. Just remember that every step, no matter big or small, still is a step that should be taken towards compliance.