"Does GDPR affect me?" is a common question among entrepreneurs.
Recently, there has been a lot of buzz around the new pan-European data protection regulations - the General Data Protection Regulation (GDPR). Why? As it turns out, entrepreneurs are unaware that this Regulation will enter into force on May 25, 2018, and that they must plan and then make changes to the management of personal data. According to a survey conducted by the DMA in 2016, for the question of how much the surveyed companies are prepared for inevitable changes, 46% of them expressed complete readiness, 24% said they were partially ready, while 30% thought they were completely unprepared.
To make sure you are among companies that are required to adapt to the new rules under GDPR, please check the infographic below:
How can I prepare for the implementation of GDPR?
If after analyzing the infographics you know that you are one of the companies involved in the modification of personal information management systems, you should be aware of the quality and quantity of the upcoming changes. It is important that you familiarize yourself with the core GDPR checklist created for this occasion. Its tasks should be completed by May 25, 2018. The checklist consists of five key areas and activities which organizations should consider in their activities to be fully compliant with the Regulation:
The first area includes actions that fall into "gaps analysis" and compliance analysis (gaps analysis involves comparing actual results with potential or desired performance):
- Review products and services which are offered in the company
- Review collected data sets and owned management systems
- Review current privacy notices and policies (including methods used for communicating to relevant individuals and obtaining their consent)
- Review the current documentation related to privacy compliance
- Review the current legal bases referring to the processing of personal data
- Check the existing uses of children's data and sensitive personal data
- Identify gaps in your compliance with the current EU law and GDPR
- Identify and plan compliance actions related to GDPR
The second area involves establishing a management system in your organization:
- Develop an accountability programme and the management review process
- Prepare a compliance suite for documentation - develop a data breach registry, a data management registry, and privacy impact assessment
- Select a data protection officer
- Update policies for handling requests for access to information, materials and objects
- Update and conduct training regarding data protection and management for company personnel
- Make sure that there are technical and operational procedures to ensure respect for the rights of those who have provided their data, such as the right to forget, the possibility to transfer data, or the right to object
- Improve the organisational compliance methodology
The third area is responsible for maintaining the clarity and meaningfulness of contracts and policies:
- Check third party contracts related to personal information
- Review the existing legal bases in the organization and confirm that they are sufficient within the framework of the Regulation
- Create templates for agreements of data processing for third party service providers; agreements concerning the export, import and processing of intra-group data; control contracts with partners and external parties; apportionment of liability clauses
- Verify and update public privacy notices, employee privacy notices and corporate policies
- Implement an overarching data protection policy that combines all the rules and processes involved in maintaining the privacy of the entrusted data. Treat this implementation as a widely understood design process.
- Review and establish the conditions determining agreement to privacy
The fourth area introduces actions to maintain an adequate level of security:
- Determine whether the organization processes sensitive personal information, along with its kind and quantity
- Check all cross-border data flows (between Europe and other continents); review and update the mechanisms used to export data
- Check security protocols and consider integration of security measures specified under GDPR, including encryption and pseudonymisation
- Review and update action plans in case of a data breach
- Notify the staff about the rules regarding the obligation to report all security breaches
- Draft security breach notification templates and a security breach response plan
The fifth area focuses on assessing the impact of privacy and personal data protection at the design stage:
- Develop privacy impact assessment criteria
- Treat personal data protection and the review of privacy as a design process (privacy by design)
- Develop a privacy impact assessment protocol
In conclusion, the General Data Protection Regulation applies to all entities established in the European Union whose activities are related to the processing of personal data. GDPR also applies to businesses that do not have their headquarters in the European Union, but use data of the population of the EU area, offer their products and services, and monitor consumer behavior. This Regulation has been the biggest change in the approach to the protection of personal data over the past twenty years. It is expedient to review the company's security situation as quickly as possible and take action to become an economic entity fulfilling the provisions of May 2016. Market participants should be aware that any failure to comply with the rules will be severely punished by financial penalties of up to 4% of the annual turnover, or EUR 20 million.