The 10 most important actions everyone needs to take to get prepared for the new General Data Protection Regulation (GDPR)

by Pablo Alvarez

The new GDPR approved by all EU members will be effective from 25th May 2018. On this day, all the companies inside or outside the EU that hold or process personal information of EU citizens will need to fulfil its requirements. Each member state will have 2 years to determine its own rules and disclose these to the EU Commission.

Pablo Alvarez: explorer, traveller, passionate about life and technology. For 16 years Pablo has been leading digital transformation journeys and strategic technical roadmaps in hospitality and retail businesses across Spain, Mexico and UK.

What are the key changes introduced by this new piece of legislation?

  • Need to appoint an internal or external Data Protection Officer (DPO) and setup a Data Protection Office in the company with representatives from different parts of the business (Legal, HR, IT, Operations, Board, Marketing…)
  • New rights to data portability and a right to be forgotten.
  • Special rules around profiling and use of children’s data.
  • A new requirement to notify data protection supervisory authorities if a data breach takes place.
  • Fines for non-compliance of up to EUR 20,000,000 or (if higher) 4% of the global annual turnover of the organisation.
  • A requirement to apply principles of ‘privacy by design’ and ‘privacy by default’ into the process of developing and launching new technologies, products, services, etc.
  • A new obligation to carry out privacy impact assessments.
  • Reinforcement of individual’s rights, with precise consent requirements for personal data purposes.

In the case of any data breach, a notification needs to be sent to the national regulator within the following 72 hours, and the inspection will require all necessary information in order to prove that the business has a data protection plan and all the possible measures have been put in place. The companies will have to demonstrate their proactivity documenting all the data processes, logging accesses and exceptions, contract management (with all 3rd party companies involved in personal data),…

All this work will require proper planning, resources and the involvement of the different departments across the business, as in one or another way they will all be affected by the changes introduced by GDPR.

The scope of what will be considered as personal data changes includes any information relating to an identified or identifiable person, directly or indirectly, online or physical, physiological, genetic, mental, economic, cultural or social.

This new regulation is essential for protecting both companies and customers. It will deliver a trusted link between both of them, reassuring personal data as an extremely important asset that need to be accordingly protected.

The 10 most important actions you need to take to get prepared for GDPR

  1. Review all personal data held by your organisation.
  2. Ensure you are able to demonstrate compliance.
  3. Maintain detailed processing records.
  4. Review and update all data privacy notices.
  5. Review your internal policies and procedures:
    1. New procedures will be required to deal with the GDPR’s new transparency and individuals’ rights provisions.
    2. In a large business this could have significant budgetary, IT, personnel, governance and communications implications.
    3. Implement internal policies and measures which take into account Privacy by Design and by Default.
  6. Spread awareness of the GDPR in your organisation
    1. Companies should particularly use the next 12 months to raise awareness of the changes that are coming and invest in company-wide training.
    2. Establishing data protection as a cultural feature of your organisation will be critical in ensuring compliance in the long term.
  7. Implement training and review checklists for data protection.
  8. Implement internal breach notification procedures and incident response plans.
  9. Allocate responsibility and budget for data protection compliance.
  10. Identify and train the Data Protection Officer.

Source: ERA Website