How did your organisation prepare itself for this new stringent privacy legislation? We gathered 10 tips that can help you improve your compliance:
- Take privacy seriously. With the wrong mindset, you will never be really GDPR compliant. It takes (among many other things) understanding of real life risks of misusing personal data in order to prevent such trouble. Nice words in privacy statements alone will not protect the data subject. Do not only get the words right, but act upon them.
- Prepare, prepare, prepare. If you are confronted with requests from either the data subject or the supervisory authority, it is best to have thought about questions such as: what kind of personal data are stored, what is the purpose of that, where are they stored, who is responsible for them etc.
- Use tooling. If your organisation is small, an Excel sheet might do the job, but the article 30 register of processing activities, the breaches register of art. 33 and 34, and the data processing impact assessments of art. 35 can easily grow to a complex information system. There is specialised tooling available to maintain those records.
- Use checklists. Even with specialised tooling, it might be necessary to keep track of the various steps that your organisation has to take in order to attain compliance. There are so many possible steps to take that it is impossible to keep track of them without using at least some list or spreadsheet.
- Be thorough. If a supervisory authority would enquire, they are likely to ask detailed questions. The better you are prepared by making detailed inventories of processing activities, the bigger the chance that you will be able to satisfy the supervisory authority’s curiosity.
- Be transparent. Remember the massive Yahoo data breach that was kept secret for two years? Hiding things from either the data subject or the supervisory authority will backfire. Breaches should be notified, records made available when required. Transparency will gain your organisation trust.
- Be accountable. Nothing worse than blaming someone else. During the U.S. Senate hearing, Mark Zuckerberg took the blame for most of the misuse of personal data by Cambridge Analytica. Whether that really helps remains to be seen, but it is a first step towards taking more measures that prevent the wide scale misuse of personal data.
- Work together. You are not the only one with questions about how to interpret the GDPR. With limited guidance and no legal judgements available, interpretation of the rules is a necessary step for everyone. Talking to other people in similar positions will help you make up your mind regarding choices you will have to make.
- Use your common sense. There are quite a few far-reaching obligations in the GDPR. Although it is important to take these seriously, no one can ask the impossible from you. So,although you have to show a detailed record of what is going on with personal data, the granularity of this should be within reasonable limits.
- Ask for help. Your supervisory authority may make some guidance available which helps you to comply with the GDPR in various respects. But if you do complex things with personal data and do not have the resources yourself, a lawyer or consultant might help you attain compliance – at a cost, obviously.
PrivacyPerfect is a GDPR compliance tool provider working across multiple member states of the EU.