GDPR

1. Appoint roles and responsibilities

The GDPR makes having a data protection officer (DPO) mandatory for organisations larger than 250 people. But also for organisations with large-scale (or intensive) processing of personal data.

As an organisation, the GDPR requires you to appoint an FG if you track individuals on a large scale or process special personal data of individuals. For both aspects, this must be a core activity of the organisation (source).

Consider:

The number of data subjects (the people whose data you process);
The amount of data you are processing;
The duration of the data processing;
The geographic scope of the processing.

A DPO can be appointed internally but can also be organised externally. Furthermore, you can also set up the DPO as a team. For larger organisations, it is further recommended to delegate tasks of the DPO to the various organisational units through so-called privacy officers.

The responsibility of the DPO is to ensure compliance with the GDPR as a supervisor. Tasks to be performed in this regard include performing/attending DPIAs (see step 2), assessing and reporting data breaches (see step 4), and monitoring compliance by auditing and reporting.

Furthermore, you need to determine what your privacy aithority is. If you operate internationally in different countries, this may differ. Consider the location of the headquarters or where large-scale processing of personal data takes place. If this is not immediately clear to your organisation, you can contact your local privacy authority for this.

Within your organisation, you will also want to appoint responsibles for the datasets in which personal data are stored/processed. These 'system owners' are identified in step 2.

And of course the management of the organisation has a responsibility in directing and promoting all activities required to comply with the GDPR.

Tip

To get your information management (and by extension security) in order, an inventory of all information systems is highly recommended.

Tip

Don't know where to start? Then make use of any information that may already be available:

Existing policies;
List of system owners;
Assignments / customer contracts;
Overviews of information flows / information architecture; and
Audit reports.

Examples of typical processing in organizations:

HR: personnel administration including applicant data;
CRM: contact information of customers / leads (e.g. from web forms;
Support / help desk: contact information of users / customer contacts;
Procurement/administration: personal information from suppliers, clients and other service providers (insurers etc.); and
Saas/cloud applications: user data (for identity management purposes).

Base27 offers complete support for the GDPR

2. Identify and record processing activities

Next is to identify the storage/processing of personal data by your organisation. You can do this on the basis of information systems used or on the basis of processing activities (processes). The choice here is mainly determined by the number of information systems used as well as the nature and size/complexity of the organisation.

If you opt for the information systems approach, you must also identify the processing activities.

For each of the processing operations you need to identify the person responsible, the purpose, those involved, the personal data used and the processors, as well as the period in which the data will be destroyed. Keep in mind that the data used must be proportional to the purpose of the processing.

3. Concluding processor agreements

If the data is passed on to third parties (processors), you must conclude an agreement with these parties whereby the privacy rules are safeguarded. This can - and preferably should - be done on the basis of a processor agreement. A processor agreement lays down the purpose for which the data may be processed and the responsibilities of the processor. The agreement also imposes a possible fine if the processor defaults.

Such a fine (potentially rising to millions as a result of the GDPR) may be disproportionate for the processor. Therefore, depending on the scope and type of processing, a privacy statement of the processor can also be considered, if this statement sufficiently addresses the required privacy rules. The processor is of course expected to adequately implement this statement.

An alternative is also to impose the same privacy and security requirements on the processor as you as controller apply to the processing of personal data. However, you will then also have the obligation to monitor compliance with these through audits and/or reports. And you will have to periodically evaluate the agreements.

4. Provisions for data subject rights

To safeguard the rights of data subjects, you will need to take a number of provisions. These include, in particular:

Consent and transparent information and communication:
- Draw up a privacy statement for the central website that specifies the purpose and use of personal data;
- Establishing permission to use personal data;
- Include unambiguous purpose and processing of personal data used in contracts;
Insight into purpose and processing of data plus limitation of use of data to the purpose of processing:
- Provide opportunity for inspection of purpose and processing of data of data subject. This can be based on the processing register where you can inform the data subject about the processing operations carried out with/for the relevant target group;
Correction and/or deletion of data and notification of deletion:
- Provide possibility for data subject to realise correction or deletion of personal data. Consider mailing systems with a personal profile and an unsubscribe option;
- Maintain retention periods. For example, the maximum retention period for applicant data is one month after the end of the application process;
Restriction of transfer of data to others other than necessary for the purpose of processing;
Possibility of objection and option of no automatic processing:
- Minimum contact information on website;
- Cookie consent setting (option not to keep cookies when using the website) etc.

5. Conducting a DPIA

You should also ask yourself whether one or more DPIAs should be conducted for the processing activities in question. A DPIA is a Data Protection Impact Assessment and could be considered as a risk analysis with the scope of the processing activity. A DPIA should always be conducted unless:

With certainty does not pose a high privacy risk;
Is very similar to another data processing for which a DPIA has already been carried out;
Is regulated by another European or national law and a DPIA has already been carried out when this law was created (unless the privacy regulator judges that a DPIA is still necessary);
Is on a list of processing activities for which a DPIA is not required. The GDPR allows the privacy supervisor to draw up such a list, but it is not mandatory.

If you need to carry out a DPIA then you can use Base27's support for this.

6. Information security measures

Finally, you should have or bring in order the information security of the systems on which personal data are stored/processed. To do this, you can ask yourself the following questions:

Is there a policy regarding information security?
Do we perform regular risk assessments to keep our security in order? And do we take countermeasures to mitigate the risks?
Do we monitor the effectiveness of the countermeasures and adjust if necessary?
Do we perform a risk analysis and/or a DPIA for new projects/changes?
Are our employees aware of the risks associated with information security/privacy protection? And are they aware of the measures/rules that apply here?
Do we have a procedure for reporting data breaches?

Is this all in order? Congratulations: you are ready for the GDPR!

GDPR: General Data Protection Regulation

Approach to implementation