It is clear that to implement GDPR compliance, your company or startup needs to begin somewhere. However, the starting point is not very clear if you do not have a trained professional on board.
GDPR, short for General Data Protection Regulation, is an EU regulation, applicable to all businesses in Europe. The general concerns regarding personal data are the justifications behind the creation of GDPR. GDPR aims to give people moreover their personal data and guard their privacy. As of May 25th, 2018 the GDPR is in effect and all businesses established or operating in the EU must be compliant with GDPR. If a business fails to follow GDPR regulations, they are essentially opening themselves to hefty fines and risking lawsuits.
The 8 Easy Steps to Implement GDPR
This piece aims to propose some practical insights and help you take the first steps to implement GDPR compliance.
1- Implement GDPR: Start with Reading
To get a basic idea of implementing GDPR in your business, the first step is getting acquainted with what GDPR is and what you are expected to accomplish. We suggest for you to take a look at our Introduction to Fundamental GDPR trilogy:
Reading the mentioned articles should arm you with adequate information to help you begin your journey to implement GDPR.
After that, you might want to check the legal text itself and try to skim it at least once. As a non-legal professional, you are not expected to fully understand the law’s intricacies, yet going over it at least once would help you gain a rudimentary legal mentality on the subject that would come to your aid in the future. The fantastic Guide to the General Data Protection Regulation provided by ICO is a great source for gaining insight and deepening your knowledge of GDPR.
You could also start a book on the subject to make the best use of your free time. There are hundreds of books out there promising to help you implement GDPR. Book Authority has listed 24 GDPR ebooks that might help you make a choice.
“With GDPR the responsibility has now shifted to the business owner and controller to make sure that they do everything they can to protect their data silos and databases for all business systems while giving individuals more rights. Within the GDPR regulation, it is now depicted that protection is a given Human Right, and details outline the rights of individuals under the new articles and recitals.” – Alistair Dickinson, The Essential Business Guide to GDPR: A business owner’s perspective to understanding & implementing GDPR
2- Inform Everyone
To implement GDPR, the whole organization should inject multiple practices into their daily operations, and this feat would require reengineering business processes and company-wide training. The organization should be eased into the strenuous path toward compliance, and this begins with familiarization and education.
Simply communicate with your teammates the importance of GDPR. The acquainting can take place in a casual meeting on a Friday morning. Let everyone know what you have learned and implore them to start researching for themselves. Give them some time for the information to sink in.
3- Seek Legal Counsel
Although GDPR is a unified approach for regulating private data usage in the entire EU, to comply, you might face some variations on the national level. This is due to the complementary national laws and unique national regulatory procedures.
A lot of EU countries had their own data protection acts in place even before GDPR. After the enforcement of GDPR, the previous acts (or at least parts of them) have remained as supplements and still bear legal significance. Moreover, the enforcement of GDPR on a national level is subject to varying interpretations and enforcement practices. Certain counties might even have sector-specific acts in place to tailor the governance of data privacy in each sector. To catch a glimpse of the problem, visit this link and take a look at some EU countries.
Facing this complex situation without embracing the whole picture might pose a risk to your efforts to implement GDPR compliance in your company. Only legal professionals have the necessary knowledge and know-how to help you understand the extent of the problem and help you devise your personal plan to implement GDPR.
4- Appoint A DPO
GDPR requires the presence of a data protection officer (DPO) in your company. The DPO is responsible for managing your data protection strategy, training employees, and auditing the compliance process. Let us read the Article 39 of GDPR explaining the tasks of the data protection officer:
“The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
- The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.”
5- Train Your Employees
If you are seriously aiming to implement GDPR, appointing a single person to oversee the compliance process while there is no actual process going on would not suffice. Your company needs an organizational transformation comprising numerous changes applied to a wide variety of processes. These processes include sign up process, identity verification, data storage, web development, marketing, and much more. To achieve compliance, employees must be sufficiently trained on the applied intricacies of the regulation. The training is usually conducted under the supervision of a DPO, compliance agent, or a high ranking manager.
6- Start Documenting
GDPR requires companies to keep an extensive record of documents for compliance. Advisera has done a wonderful job of listing all relative types of documents in one place. This comprehensive list includes:
- Personal Data Protection Policy
- Privacy Notice
- Employee Privacy Notice
- Data Retention Policy
- Data Subject Consent Form
- Supplier Data Processing Agreement
- Data Subject Access Request Form
- Data Breach Notification Form to Data Subjects
Other than the mandatory documents, you can also start creating internal documents related to data and compliance. This documentation will minimize the chance of errors and help you implement GDPR more smoothly. The main benefit of vigilant documentation would become apparent in case of a legal suit.
Design checklists to guide employees in assessment and decision-making processes. Go the extra mile when writing the various agreements and disclaimers. These notices should go under stringent evaluations by legal professionals.
Devise extensive and easy to understand sources of information to communicate with customers effectively.
7- Take Necessary Precautions
To successfully implement GDPR, you must hold the regulation’s principles as a compass to guide you towards compliance. Try to be helpful and do more than what could be considered adequate. By going beyond the bare minimum, you can circumvent avoidable risks.
Being extra cautious is a helpful rule of thumb when you are in doubt about a matter. Check, and double-check; inform and double inform. When considering a course of action, weigh the various interpretations that can be made, and modify the procedure to minimize the potential future misunderstandings
8- Design A Data Breach Response Plan
You could do everything in your power to protect the data, yet bad things always happen. Vulnerabilities like software backdoors and zero-day exploits are almost inevitable, rendering the risk of a data breach far from non-existent.
Examine probable scenarios and consider the various types of breach and the nature of data involved. Think about the actions in case of a breach from an administrative, technical, legal, and public relations perspective.
“Incident Response plans that are 30, 40, or 100 pages long may have their place. But a shorter document helps not only during an incident but also before it, raising awareness with the senior leadership about the types of decisions they’re going to be asked to make.” – Liisa Thomas, Chair of the data security practice at Winston & Strawn LLP
Feel free to tell us about your GDPR related problems. We are planning to write more on this subject and would appreciate your input on the matter.