On May 25th 2018 the GDPR (General Data Protection Regulation) will come into force. When an organisation collects personal data, the person to whom these belong has to have access to their data. Not complying with the GDPR involves high fines. Fines can be up to no less than 4 percent of your total revenue, or 20 million euro. How can your organisation manage these changes? Read all about it in this GDPR checklist!
Inform & document
Inform your employees about the changes concerned with the GDPR. Also make an inventory of your data. What personal data does your organisation collect? Where is it collected? Create an overview. This also goes for any data you have collected in the past. An audit makes it possible for an organisation to gain insight into all collected data and its processing.
Register of Processing Activities & data breach notification
One of the changes that come with the GDPR is the obligation for all businesses to set up a processing register. In it, you document all personal data processes. Any data breaches also need to be registered internally, even when they are not subject to the mandatory data breach notification. When personal data have been leaked, you have a notification duty. Put a procedure in place to locate data breaches, to report them and to investigate them.
As an organisation, make sure you have a privacy statement in place. This statement has to be put in understandable language. When you have a privacy statement, make sure that statement is up-to-date. When the GDPR takes effect, you will have to add extra information to your privacy statement. You will, for example, be required to put in the legal basis for data processing. When you share data outside of the EU, this is included in the privacy statement.
Personal data & data subject’s rights
The term ‘personal data’ will mean considerably more when the GDPR takes effect. Take for instance someone’s handwriting or voice. All data that could possibly lead back to a person, are included. You can only store personal data you really need. When you no longer need certain personal data, you are not allowed to keep it.
Someone whose personal data are being processed, is called a data subject or individual. The data subject’s rights will gain importance when the GDPR is enforced. This means that the data subject or individual whose personal data you are processing will be able to appeal to a number of additional rights. As a business you have to make sure that these rights can be exercised. This could mean, for instance, that you have to give data subjects access to the collected data, and enable them to correct or even delete some of it. It also has to be possible for data subjects or individuals to immediately refuse marketing strategies such as newsletters. When the GDPR is enforced, you will have to respond more quickly to requests made my individuals than before. Take the deletion of personal data, for example. The request has to be processed within 30 days.
The new rules also state that a data subject has to give their explicit consent for things such as their subscription to a newsletter. This will reduce the intrusiveness of cases such as (unwanted) newsletters. You have to be able to prove at all times that explicit permission has been given by the data subject. Make sure you have an audit trail, to be able to prove the data subject’s consent.
Data Protection Officer
When your business processes personal data on a daily basis, you need to appoint a Data Protection Officer (DPO). This can be someone from within the organisation, or an external advisor. The Data Protection Officer monitors whether the new rules are complied with within the organisation. If it is not entirely clear whether you need to appoint a Data Protection Officer, you have to substantiate your choice for either having or not having a DPO.
Team up with Cloud 1 and rest assured knowing you are using a fully GDPR-compliant Cloud service.
Do you have any questions?
Contact us today and discover how Cloud 1 can help you to meet GDPR requirements and leverage the Cloud to grow your business.