Dutch DPA Offers 10-Step Plan for GDPR Readiness

The Dutch DPA recently published a 10-step plan to help organizations prepare for the EU General Data Protection Regulation (GDPR), which will come into force on May 25, 2018.

Step 1: Awareness

Organizations should ensure that the appropriate people are aware of the new changes brought about by the GDPR. These individuals need to assess how the GDPR will impact its current processes, services and products, as well as what needs to change in order to comply with the GDPR.

This assessment should be started as soon as possible, due to the GDPR’s lengthy requirements and large penalties for non-compliance.

Step 2: Rights of Data Subjects

The rights of data subjects have been expanded under the GDPR. Therefore, organizations need to ensure that processes (both technical and administrative) are in place that enable individuals to exercise those rights.

Data subjects will have the ability to file complaints with DPAs about how their personal data is handled, and how their rights are respected. DPAs will consider every complaint.

Step 3: Records of Processing Activities

The GDPR requires organizations to keep up-to-date records of their processing activities, including information about the personal data processed, the purpose for processing it, where it originated, and who it is shared with. Organizations need to be able to demonstrate their compliance by sharing these records with DPAs, upon request.

Step 4: Data Protection Impact Assessment (DPIA)

Under the GDPR, organizations must conduct data protection impact assessments (DPIAs) when a processing activity is likely to result in high risk to the rights and freedoms of individuals. However, it is recommended that DPIAs be performed for all processing activities, regardless of risk level.

If identified risks cannot be mitigated successfully, the organization must consult with the DPA prior to commencing the processing activity.

Step 5: Privacy by Design and Data Protection by Default

Organizations need to be aware of the GDPR’s requirements for privacy by design and data protection by default, and begin integrating these principles within their organization.

Privacy needs to be embedded throughout the process of designing products and services. Technical and organizational measures must be in place to ensure the integrity and confidentiality of personal data, and to ensure that personal data is processed only when necessary to achieve a specific purpose.

Step 6: Data Protection Officer (DPO)

Some organizations may be required to appoint a DPO. Organizations need to assess whether this requirement applies to them, and if it does, appoint a DPO as soon as possible to be ready for the GDPR. Regardless, many organizations may want to appoint a DPO as a best practice, even if the requirement does not apply.

Step 7: Data Breach Notification

Data breach notification requirements are largely the same under the GDPR. However, the GDPR has stricter requirements around recording information about data breaches that occur.

All data breaches must be documented internally, regardless of whether it must be reported. The documentation must be ready to be shared with a DPA, upon request.

Step 8: Processor Agreements

Organizations need to re-examine their agreements with data processors to ensure that they meet the requirements with the GDPR. New agreements should be drafted with the GDPR’s requirements in mind.

Step 9: Lead Supervisory Authority

Organizations with establishments in, or that conduct processing activities in, multiple EU Member States, may be subject to regulation by multiple supervisory authorities. However, organizations need to identify their lead supervisory authority with whom they will work with.

Step 10: Consent

Requirements for obtaining valid consent from individuals are stricter under the GDPR. Organizations that rely on consent as the legal basis for a processing activity need to ensure that the consent meets the requirements under the GDPR. This includes how the consent is requested, obtained, recorded, tracked, and amended.

Organizations need to be able demonstrate that consent meets the GDPR’s requirements, and ensure that individuals have a way to easily withdraw their consent at any time.

View complete article here.