But the truth is, these companies have no choice but to show 100% compliance to the new legislation as if they’re not, from today, they could face fines of up to €20 million or 4% of global turnover.
A mountain of work will have gone into preparation for today’s deadline but it doesn’t stop there. Building compliance within processes and ensuring you maintain new procedures that have been put in place will be a constant challenge.
Data protection officer
The appointment of a data protection officer (DPO) is mandatory when an organisation is a public authority or body, or when a company’s core activities involve:
1. Data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
2. Large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation, etc.) and personal data relating to criminal convictions and offences.
Having a DPO can be a huge help in making sure you don’t breach GDPR legislation. They will take responsibility for all data protection queries you or your employees may have. They also form a link between both the public and the organisation’s employees in relation to the processing of personal information held.
They also help with the following:
Your DPO may be an asset to your organisation, but this doesn’t mean you should rest on your laurels
If there are still members of staff within your organisation who know nothing about GDPR – although hard to believe – then you’re at serious risk. A DPO’s role involves raising awareness so everyone knows what’s going and what is required of them. They should organise training and ensure all questions are answered.
Despite rigorous training and numerous informative emails, employees are not expected to be GDPR ‘whizz kids’, thus there should always be someone they can turn to for expert advice. This is another area where a DPO comes in.
DPOs will also consult and provide advice on data protection impact assessments (DPIA) – a process that helps you identify and minimise the data protection risks of a project.
Although a major part of the DPO’s role, it would be near impossible to monitor compliance completely on their own. By also enlisting in-house ‘data champions’ in key areas of the organisation, it will lessen the overall risk of a breach. This can be especially important in a company that has offices in different locations.
Your DPO may be an asset to your organisation, but this doesn’t mean you should rest on your laurels. Make sure your data is highly guarded and protected.
For GDPR compliance, you can use three techniques to protect data: encryption, pseudonymisation and anonymisation. The user’s rights and the usage context will dictate the appropriate technique to be used. To lighten some pressure, make sure to only keep the data you absolutely need.
Finally, auditing is fundamental to GDPR compliance. Your business will need to be able to produce reports that clearly show regulators you:
• Understand what personal data you have and where it’s located.
• Correctly manage the process for gaining consent from individuals who are involved.
• Can demonstrate how personal data is used, who uses it, and for what purpose.
• Have the appropriate procedures in place to manage things, such as ‘the right to be forgotten’ and data breaches.
GDPR is here to stay…
You may no longer have to prepare for the arrival of GDPR but don’t bury your head in the sand, as now more than ever, does it require action. Ensure you are compliant and maintain it, or prepare for the consequences.