Organizations must focus now on five high-priority changes to ensure compliance when GDPR comes into force:
Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a “data controller.” Therefore, the GDPR applies not only to businesses in the EU, but also to all organizations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
Appoint a Data Protection Officer
Many organizations will be required to appoint a data protection officer (DPO) as a result of the GDPR. This is especially important when the organization is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities. “Large scale” does not necessarily mean hundreds of thousands of data subjects — early drafts of the GDPR mentioned the processing of data on more than 5,000 subjects in any 12-month period.
Demonstrate Accountability in All Processing Activities
Purpose limitation, data quality and data relevance should be decided on when starting a new processing activity, but also applied to existing processing activities. This will help to maintain compliance in future personal data processing activities. Organizations must demonstrate accountability and transparency in all decisions regarding personal data processing activities.
Third-party service providers (i.e. data processors) must also comply, and this will impact an organization’s supply, change management and procurement processes. Accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent will no longer be sufficient. Instead, organizations will be required to implement streamlined techniques to obtain and document consent and consent withdrawal.
Check Cross-Border Data Flows
Data transfers to any of the 28 EU member states will still be allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) has deemed to have an “adequate” level of protection will also be possible. Outside of these areas, organizations should use appropriate safeguards, such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., “EU Model Contracts”).
Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the right to be forgotten, the right to data portability and the right to be informed (e.g., in case of a data breach, or to receive an explanation, for example in machine learning systems’ automated decision making).
If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.
Will GDPR make you more customer centric?
What have you put in place to prepare your business for GDPR? What opportunities does GDPR present for your business?
GDPR presents a much bigger opportunity outside of compliance with the new regulations. The new legislation will allow more personalized experiences for our customers and will force companies to be more customer-centric.