10 step guide for GDPR / Privacy compliance

Privacy is becoming a larger topic by the day, and there is a good reason for it. As of May 25 2018, all companies in EU Member States that interact with Personal Data have to abide by the General Data Protection Regulation (or GDPR for short, AVG in Dutch). Based on the 10-step summary by the Dutch Information Supervisory Authority (Dutch summary here), we made a practical summary. This checklist is no guarantee for compliance, but should give a good overview.

Step 1: GDPR Awareness

Awareness in the whole company of the new rules is the first step. Compliance with the GDPR happens on all levels, from secretaries to CEO’s, and from developer interns to system engineers. All employees should be aware that things have changed, and in which way this affects their activities on a day to day basis. An effective way of doing is, is by organizing internal security- or privacy sessions or having a dedicated employee for all privacy and security matters (such as a Data Protection Officer)

Step 2: Rights of the Data Subject

The rules around Personal Data have ensure Data Subjects can exercise their rights regarding privacy. They have the right to transparency, rectification, erasure, and in some cases portability of data on them. You should think of a process to make sure people can exercise their rights.

Step 3:  Record of Processing Activities

The GDPR requires large companies and companies that process special personal data to keep a record of all processing activities. One should, among others, record the purpose, the type of personal data, whom the data is shared with, and information about how it is secured. The exact requirements can be found in Article 30 of the GDPR.
Many organizations involved with privacy related activities use the ISO 27001 standard for information security. Part of following this standard is to keep a register of all Information Assets. This register is a good starting point and can be used as an input for the Processing Activities Record.

Step 4: Data Protection Impact Assessment

When implementing activities, processes, and technologies, that are likely to be “high risk”, a Data Protection Impact Assessment (or DPIA for short) needs to be carried out by the controller or processor. The supervisory Authority brings out a list of the kind of processing activities that need or do not need a DPIA. The DPIA should contain, among others, a description of the data processing and its purpose, and an assessment of the expected risk and how that will be addressed. The full requirements can be found in Article 35 of the GDPR. We have a DPIA template available.

Step 5: Privacy by Design and by Default

The principles of Privacy by Design and Privacy by default should be known and acted to by any and every employee in your organization. Privacy by design means that during the design of a system, software, or activity, privacy should be an important aspect. Privacy by default means that no more data is collected than is necessary for a purpose, not made accessible to third parties without the data subject’s consent, and that in general privacy is the standard, the default.

Step 6: Data Protection Officer

A Data Protection Officer needs to be appointed when the core activities of a company consists of processing operations of data subjects on a regular basis and large scale or are of a sensitive nature, or if the processing is carried out by a public authority or body. This person can be a trained (for example by ICT Institute) internal employee. You can also appoint an external expert (from ICT Institute for example). He or she is allowed to perform other tasks besides being a DPO, but only if this does not conflict with data protection duties.

Step 7: Notification of a personal data breach to the supervisory authority

The requirement to report “data leaks” of data breaches stays in place. Organizations should set up a data breach procedure, so data leaks can be handled as efficiently as possible, should they occur.

Step 8: Data processing agreement

When a controller hires a processor or a processor hires another processor, a data processing agreement (DPA) needs to be made. The agreement should state that the personal data shall only be used for its intended purpose, that proper security is in place, and how a possible data breach will be handled. We have a Dutch template verwerkersovereenkomst and an English data processing agreement template.

Step 9: Lead Supervisory Authority

Organizations with branches in several EU member states should determine who their Lead Supervisory Authority is. This is usually the SA of the main or only establishment of the controller. Having only one point of contact is the main reason behind this approach, which is also (very fittingly) called the one-stop-shop rule. In the Netherlands, the Lead Supervisory is the Autoriteit Persoonsgegevens.

Step 10: Consent

Consent for data processing should to be explicitly and unambiguously given by the Data Subject. The consent must be as easy to withdraw as it is to be given, and is limited to the processing purpose as stated. Should you wish to use that data for other purposes, then consent for those purposes has to be given as well.

Final

At the time of writing this article there are  four months left to become compliant. Using these 10 steps as guidance, that should be plenty of time. More information can be found on our website (see for example our initiative Security Verified) or on the website of the Dutch Information Supervisory Authority Autoriteit Persoonsgegevens. If you would like to get more involved in information security, do not hesitate to sign up for our Special Interest Group. For more articles about privacy, visit our page with all privacy articles.

Image credit: glenn-carstens-peters via unsplash