10 Key steps for compliance with the GDPR
The European Commission granted two years between the entry into force of the General Data Protection Regulation and its full implementation, on 25 May, for companies to adapt to the new rules. There are just under two months to go and there are still many entities that do not know where to start. According to Jane Kirkby, these are the essential steps to achieve this goal.
On 25 May 2016 Regulation (EU 2016/679) of the European Parliament and of the Council of 27 April on the protection of a natural person with regard to the processing of personal data and on the free movement of such data entered into force, repealing Directive 95/46/EC of 24 October 1995, the General Data Protection Regulation (GDPR). These new rules have brought numerous challenges to all entities and agents whose activities involve the processing of personal data.
Considering that the full implementation of the Regulation was set for May 25, 2018, the entities had two years to identify the changes necessary to comply with the new data protection regime and its implementation, including the adoption and implementation of new security measures.
There is still time
It turns out that we are already in count down until May 25 and the truth is that most companies in Portugal have not done their homework and a large part still don’t know what to do. Nevertheless, we believe that, “rolling up our sleeves,” it is still possible for organizations to comply with the GDPR until then.
The first thing to bear in mind is that the GDPR is not the “bogeyman” but rather a challenge for entities and agents, an opportunity to assess how activities involving the processing of personal data are performed by companies and define and implement compliance policies with the new rules.
Where to start?
1. Survey of databases
The first task is to survey all the activities that involve the processing of personal data and to catalogue databases, for example, of workers; of data from newsletters; from clients; of suppliers.
2. Verification of compliance with the principles relating to the processing of personal data
Each database must be surveyed to verify whether the principles relating to the processing of personal data are being complied with:
- Lawfulness, loyalty and transparency;
- Limitation of purpose;
- Minimization of data;
- Preservation limitation;
- Confidentiality integrity
3. Identifying the basis for processing
The processing of each database must be legally reasoned.
The basis for the processing of each database may have different sources, such as the consent of the data subject, the performance of a contract or pre-contractual procedures, legal obligations, defence of vital interests, functions of public interest and the exercise of public authority or legitimate interests.
4. Review of consent forms and contracts
Depending on the legal basis for the data processing, whether consent or the signing of a contract, all forms of consent and contractual clauses should be reviewed to bring them into line with the new requirements of the GDPR, in particular as regards the information that must be made available to the data subjects and the way it’s provided, in particular when dealing with minors.
Consent for processing data should be requested again if the form in which the consent was given does not meet the conditions set out in the GDPR.
5. Review of subcontracts
All subcontracts (written or otherwise) entered into by the company with any natural or legal person, public authority, agency or other body for the processing of personal data on its behalf shall be reviewed.
All identified contractual relationships must be put in writing, with the minimum content required by the GDPR.
6. Mechanisms for guaranteeing the rights of data subjects
Companies should implement or ensure that their subcontractors have in place mechanisms that ensure timely exercise of the rights of data subjects:
- Right of access;
- Right to rectification or deletion;
- Right to limit the processing;
- Right to object to the processing;
- The right to transferability;
- Right to withdraw consent.
7. Implementation of technical and organizational security measures, by design and by default
Both at the time of the definition of the means of processing and at the time of the processing itself, the appropriate technical and organizational measures to ensure a level of safety appropriate to the risk, taking into account the most advanced techniques, the implementation costs and the nature, scope, context and purpose of treatment, as well as the risks to the rights and freedoms of natural persons whose likelihood and severity may be variable, shall be implemented
The GDPR gives us some clues about the measures that need to be implemented by companies to comply with this obligation:
- Pseudonymization and encryption of personal data;
- Mechanisms to ensure the permanent confidentiality, integrity, availability and resilience of processing systems and services (ranging from physical security to password encryption);
- Instruments allowing the restoration of availability and access to personal data in a timely manner in the event of a physical or technical accident;
- Processes to regularly test, evaluate and evaluate the effectiveness of the implemented measures;
- Compliance with a Code of Conduct, when applicable;
- Certification procedure, when created by the supervisory authority;
- Adoption of compliance instruments, namely regulations, standards and procedures specific to certain areas, departments or units, to assist and define internal processes for data protection, in order to contribute to the promotion of the implementation of the GDPR.
8. Registration of data processing activities
Companies with more than 250 data-processing workers likely to pose a risk to the rights and freedoms of data subjects, regular or covering sensitive categories of data, shall keep a written record, including in electronic form, of all processing activities under their responsibility.
9. Definition of internal procedures for notification of violations of personal data
All companies must ensure in advance that they have internal procedures in place to enable them to comply with the obligation to notify a breach of personal data, that can result in a risk to the rights and freedoms of natural persons, to the supervisory authority, without undue delay and until 72 hours after having knowledge of it, or, where applicable, to the data subject.
They should also create a record to document any data breaches, subject to notification or not.
10. Designation of a Data Protection Officer
When companies fall into one of the following situations, they must appoint a data protection officer:
(a) Public entities (with the exception of courts in the exercise of the judicial function);
(b) Large-scale data processing operations;
(c) Large-scale processing operations of special categories of data.
Outside of these situations, the designation of a data protection officer is not mandatory, but it is advisable.
More in Communication
- Public Procurement
- Data Protection
- Medical Devices
- Sports Law
- Real Estate
- Sport Law
- Minimum Wage
- medical law
- Money Laundering
- Personal Data
- Administrative Law
- Administrative Litigation
- Business Law
- Chambers and Partners
- Public Employment
- Local Housing
- traffic accident
- Clinical Research
- Labor Law
- Social Security
- Labour Code
- Industrial Property
- Labour Law
- Right of Preference
- Civil and Labour Litigation
- Local Accommodation
- Social Responsability
- Social Security Law
- Health and Scieces Law
- Women's Human Rights
- Human Rights
- Independent Workers
- Health and Life Sciences
- Health Law
- Law School
- Chambers Europe
- Jornal Económico
- Iberian Lawyer
- Equal Pay
- Real Estate Law
- Foreign Investment
- Golden Visa
- Professional secrecy
- Expo Real
- National Health Service
- PhD thesis
- International Labor Organization