The General Data Protection Regulation (GDPR) has been in force for some time now. However, there is still a lot that remains unclear. Many companies are attempting to comply with GDPR but can’t see the wood for the trees.
What is the objective of GDPR?
GDPR aims to strengthen the control and protection of personal data through risk management, accountability and awareness. The principle of the GDPR is to encourage organisations to systematically assess risks to data subjects, so that they can mitigate these risks.
A quick privacy check:
- Have the risks been analysed, documented and accounted for, and can you demonstrate the continuity of risk management processes?
- Do you know which components of GDPR you need to comply with? Article 30 requires companies to produce records of processing activities, but there’s more. For example, you are required to do a data protection impact assessment (DPIA), justify the registration and use of data in your possession (duty of disclosure) and limit data collection to only what is required to fulfil a specific purpose (data minimisation).
- Can you demonstrate that your employees are sufficiently aware of their privacy rights and duties?
Method: Organisational analysis, codification and awareness & continuity
The organisational analysis ensures full accountability by establishing processes, risks and infrastructure in line with the GDPR’s requirements.
Codification is the process of recording and introducing measures and protocols to protect personal data.
How awareness and continuity of data production are ensured will depend on the level of maturity of your organisation.
YOUR STAFF, OUR SPECIALISM
Have you considered…
- Analysis of data processing activities and risks.
- Comprehensive accountability for all data processing activities.
- Organisation-wide awareness of universal data protection principles.
- Privacy statement that covers all data processing activities.
- Storage periods.
- Specification of storage methods.
How to comply with GDPR
Responsible data processing
In the processing of personal data, you are responsible for demonstrating compliance with the principles of the GDPR (art. 5:2 GDPR). This is mandatory for all organisations. Therefore, in addition to keeping records of processing activities, it is also important to consider the principles and duty of disclosure (GDPR requirements).
In order to define protection measures to eliminate or mitigate the risks for data subjects, insight into these risks is needed (art. 24 GDPR). Although the DPIA is not always required, it is always sensible to map data protection and organisational risks.
Take appropriate measures
To ensure full accountability and coordinate compliance, all organisations should have protocols and specific measures in place to back up their processing activities.
Awareness & continuity
Awareness of GDPR within the organisation, business continuity arrangements, risk management support. To achieve demonstrable compliance, a full compliance method is needed.
This requires an organisation-specific approach. By taking an organisation-specific approach, you will be able to mitigate the risks for your data subjects and be able to demonstrate that your organisation is GDPR proof.