- News & Views
- Events & Publications
Many companies have moved forward significantly or are finishing this process. However, there are many organisations, which are starting now or have just started.
The first preparation step of the GDPR is the identification and mapping of all processed personal data that you implement in your company. It is not about complicated processes. But, it is enough to answer the basic “criminalistics” questions for each processed data, which are identified according to their purpose:
Optimally, the output of this mapping phase should be an overview of the processing of personal data, which can then be used as the basis for the GDPR data processing records.
If you have mapped the processing processes in the company, there is another step in comparing the current situation with the six responsibilities of each GDPR personal data administrator. First, it is necessary to check whether you are using the correct legal reason (legality) for the given processing. Extra attention should be devoted to the approval in accordance with tightening requirements for obtaining and maintaining it. We recommend to only use an approval as a legal reason for the processing if you cannot really use another legitimate reason (fulfilment of a legal obligation, conclusion or performance of a contract or a legitimate interest of the administrator).
After determining the correct legal process, verifying follows so that all data that you process is necessary for a legitimate and predetermined purpose of processing (purpose limitation), and whether you keep the data for as long as necessary (data minimisation and retention time). You also need to ensure that you only process accurate and updated personal data as necessary (accuracy).
In addition, you need to look at the information you provide to data subjects on processing and how you respond to their related claims and rights and assist them in their performance (transparency and fairness). In most cases, the existing data will not meet the GDPR content requirements and form. Usually, there are no processes in companies on how they will respond to requests from subjects.
Finally, it is necessary to evaluate the risk of each processing and to accept and document appropriate technical and organisational measures to protect the processing from unauthorised access or processing and from accidental loss, destruction or damage of data (integrity and confidentiality).
We recommend that you set up specific corrective measures on the grounds of identified shortcomings, which are GDPR compliant. With respect to time, it is necessary to identify the priorities for the implementation and accept a relevant time schedule.
Anyway, it is possible to suppose, that you should not avoid the following “standard” implementation measurements:
This list is not exhaustive and represents only the standard basic “implementation package”. The specific scope of implementation measures will always vary according to the scope, nature, context and purpose of the processing. In any case, you can handle this usual minimum for the most part in the remaining time.
Even if you cannot get all the GDPR into action, you do not need to fall into despair and passively wait for a massive fine! It is entirely legitimate to expect that the mapping of the processing, the partial implementation of the priorities and the realistic timetable for the remaining measures will always be taken into account in the case of control and should prevent you from being imposed any major sanctions.