GDPR: how to implement quickly “at five minutes to twelve”?
The new European general regulation on the protection of personal data known as GDPR comes into effect on the 25th of May 2018. Only a few weeks left for the preparation and ensuring the permission for entrepreneurs, companies as well as personal data administrators.
Many companies have moved forward significantly or are finishing this process. However, there are many organisations, which are starting now or have just started.
- A mapping is a basis
The first preparation step of the GDPR is the identification and mapping of all processed personal data that you implement in your company. It is not about complicated processes. But, it is enough to answer the basic “criminalistics” questions for each processed data, which are identified according to their purpose:
- Who we are (an administrator or processor),
- What (what data we process),
- Why (for what purpose and for what legal reason),
- About who (to whom the data relates), to whom (to whom the data may be made available),
- When (how long do we keep the data) and
- How (how do we process and protect data).
Optimally, the output of this mapping phase should be an overview of the processing of personal data, which can then be used as the basis for the GDPR data processing records.
- Performing differential analysis
If you have mapped the processing processes in the company, there is another step in comparing the current situation with the six responsibilities of each GDPR personal data administrator. First, it is necessary to check whether you are using the correct legal reason (legality) for the given processing. Extra attention should be devoted to the approval in accordance with tightening requirements for obtaining and maintaining it. We recommend to only use an approval as a legal reason for the processing if you cannot really use another legitimate reason (fulfilment of a legal obligation, conclusion or performance of a contract or a legitimate interest of the administrator).
After determining the correct legal process, verifying follows so that all data that you process is necessary for a legitimate and predetermined purpose of processing (purpose limitation), and whether you keep the data for as long as necessary (data minimisation and retention time). You also need to ensure that you only process accurate and updated personal data as necessary (accuracy).
In addition, you need to look at the information you provide to data subjects on processing and how you respond to their related claims and rights and assist them in their performance (transparency and fairness). In most cases, the existing data will not meet the GDPR content requirements and form. Usually, there are no processes in companies on how they will respond to requests from subjects.
Finally, it is necessary to evaluate the risk of each processing and to accept and document appropriate technical and organisational measures to protect the processing from unauthorised access or processing and from accidental loss, destruction or damage of data (integrity and confidentiality).
- Finally, the implementation itself
We recommend that you set up specific corrective measures on the grounds of identified shortcomings, which are GDPR compliant. With respect to time, it is necessary to identify the priorities for the implementation and accept a relevant time schedule.
Anyway, it is possible to suppose, that you should not avoid the following “standard” implementation measurements:
- creating or updating a processing log (processing records),
- adoption of new or revised internal documentation, in particular in the area of HR (input surveys, employment contracts, personal data management directives, employee information),
- adoption of new or revised external documentation (processing announcement, direct marketing approvals, business conditions),
- revision and addition of contracts with processors (typically an external wage account or security agency or benefit provider),
- performing a basic risk analysis (including an assessment of the need to appoint an officer or a more detailed assessment of the impact of the processing),
- documentation of technical and organisational measures to ensure processing including setting up internal processes (response to requests and exercise of rights, reporting and incident documentation, etc.),
- training and testing of employees.
This list is not exhaustive and represents only the standard basic “implementation package”. The specific scope of implementation measures will always vary according to the scope, nature, context and purpose of the processing. In any case, you can handle this usual minimum for the most part in the remaining time.
Even if you cannot get all the GDPR into action, you do not need to fall into despair and passively wait for a massive fine! It is entirely legitimate to expect that the mapping of the processing, the partial implementation of the priorities and the realistic timetable for the remaining measures will always be taken into account in the case of control and should prevent you from being imposed any major sanctions.
More posts from Radek Matouš