100 days into GDPR: Time to breathe a sigh of relief?

Several weeks have gone by since GDPR entered into force. Meanwhile, the General Data Protection Regulation has left the headlines as well as the agendas of many businesses. The creation of the records of processing activities, the risk impact assessment and the related data collection have taken up a lot of time and money. And still, this is not the moment to take it easy. Have you done your homework yet?

Many organisations are keeping the mandatory records of processing activities in an Excel sheet, firmly believing that this would satisfy their obligations with regard to GDPR. But who is checking whether these obligations are kept? Who is guaranteeing for their correct maintenance? Who is responsible for the future compliance with GDPR? Which employee is dealing with the processes concerning the rights of data subjects? If the answers to these questions are inadequate, even a clear conscience cannot prevent businesses from facing serious data protection problems. The development of new data silos is a further threat to the daily routines with GDPR and furthermore puts a severe strain on the potential of data analysis.

Ten points for continuous GDPR-compliance

Take some time to carefully read the following checklist. It will provide you with an overview of the data protection procedures that will now accompany you in your daily work. If you seriously consider the issues it names, the checklist can make the day-to-day dealings with GDPR easier for your company.

1) Use a structured database.

The amount of data kept in unstructured electronic information such as emails, text messages, WhatsApp or even images is still too large. Using a structured database which can handle the exponentially rising amount of data today and in the future is the optimal solution for businesses.

Use GDPR-compliant declarations of consent for the use of personal data.

Data processing is permissible if consent has been given in a GDPR-compliant manner. However, the use of personal data is permitted even if the company has a legitimate interest in using the data. The requirements for these declarations of consent have been tightened: For example, the minimum age has been set to 16 years.

3) Consider the extent and necessity of data.

Personal data that is stored without actually being required poses a risk to the company which keeps it. Data may only be processed if it is really necessary for the intended purpose of processing.

4) Keep data protection in mind when you design and develop your software and hardware.

All projects involving personal data that will subsequently be processed by a company must be developed according to the “Privacy by Design” principle. Businesses can either retrofit their existing systems or replace them with new, GDPR-compliant ones.

5) Let all employees participate in data protection.

As a general policy, data protection should never be the responsibility of a single person. It should be part of the daily routines of all employees. Provide your staff with regular training sessions.

6) Don’t rely on ISO/IEC 27001 certification.

ISO/IEC 27001 certification alone is not sufficient proof of adequate protection against unauthorised access on personal data. Instead, businesses have to check whether the certification has been extended, for example by adapting the risk assessment method to include the rights and freedoms according to GDPR.

7) Always assess the risks and consequences on the data subjects in advance.

Whenever an organisation is implementing new technologies and processing will lead to the possibility that the rights and freedoms of individuals may be put to a high risk, a data protection impact assessment has to be carried out.

8) If data protection has been infringed: React quickly!

EU-GDPR includes a clear requirement concerning infringements of data protection: If such an incident becomes known to a company, it has to report it to the respective supervisory authorities immediately, as a general rule within 72 hours of learning about the infringement.

9) Make a conscientious choice regarding the record of processing activities.

Businesses need a flexible and safe record to document all processing activities in connection with personal data. While Excel may serve as a temporary stopgap, professional GDPR management systems allowing for processing in compliance with data protection are much better equipped for long-term use.

10) Provide for perfect technical conditions to manage the rights of data subjects.

If a person executes his or her “right to be forgotten”, the standard functions to delete data as provided by operating systems and databases are usually not enough to meet the requirements of EU-GDPR since they do not physically delete the data. Data protection experts recommend the use of dedicated software for that purpose.

What’s next?

While reading this checklist you will soon have realised: Professional GDPR compliance management systems offer real added value to businesses with regard to observing the requirements of the basic principles and concepts that need to be complied with. This is particularly true for organisations that manage the records of processing activities by default or automate the processes on the rights of data subjects or reports to the authorities.