10 Key steps for compliance with the GDPR

The European Commission granted two years between the entry into force of the General Data Protection Regulation and its full implementation, on 25 May, for companies to adapt to the new rules. There are just under two months to go and there are still many entities that do not know where to start. According to Jane Kirkby, these are the essential steps to achieve this goal.

On 25 May 2016 Regulation (EU 2016/679) of the European Parliament and of the Council of 27 April on the protection of a natural person with regard to the processing of personal data and on the free movement of such data entered into force, repealing Directive 95/46/EC of 24 October 1995, the General Data Protection Regulation (GDPR). These new rules have brought numerous challenges to all entities and agents whose activities involve the processing of personal data.

Considering that the full implementation of the Regulation was set for May 25, 2018, the entities had two years to identify the changes necessary to comply with the new data protection regime and its implementation, including the adoption and implementation of new security measures.


There is still time

It turns out that we are already in count down until May 25 and the truth is that most companies in Portugal have not done their homework and a large part still don’t know what to do. Nevertheless, we believe that, “rolling up our sleeves,” it is still possible for organizations to comply with the GDPR until then.

The first thing to bear in mind is that the GDPR is not the “bogeyman” but rather a challenge for entities and agents, an opportunity to assess how activities involving the processing of personal data are performed by companies and define and implement compliance policies with the new rules.

Where to start?


1. Survey of databases

The first task is to survey all the activities that involve the processing of personal data and to catalogue databases, for example, of workers; of data from newsletters; from clients; of suppliers.


2. Verification of compliance with the principles relating to the processing of personal data

Each database must be surveyed to verify whether the principles relating to the processing of personal data are being complied with:

  • Lawfulness, loyalty and transparency;
  • Limitation of purpose;
  • Minimization of data;
  • Accuracy;
  • Preservation limitation;
  • Confidentiality integrity


3. Identifying the basis for processing

The processing of each database must be legally reasoned.

The basis for the processing of each database may have different sources, such as the consent of the data subject, the performance of a contract or pre-contractual procedures, legal obligations, defence of vital interests, functions of public interest and the exercise of public authority or legitimate interests.


4. Review of consent forms and contracts

Depending on the legal basis for the data processing, whether consent or the signing of a contract, all forms of consent and contractual clauses should be reviewed to bring them into line with the new requirements of the GDPR, in particular as regards the information that must be made available to the data subjects and the way it’s provided, in particular when dealing with minors.

Consent for processing data should be requested again if the form in which the consent was given does not meet the conditions set out in the GDPR.


5. Review of subcontracts

All subcontracts (written or otherwise) entered into by the company with any natural or legal person, public authority, agency or other body for the processing of personal data on its behalf shall be reviewed.

All identified contractual relationships must be put in writing, with the minimum content required by the GDPR.


6. Mechanisms for guaranteeing the rights of data subjects

Companies should implement or ensure that their subcontractors have in place mechanisms that ensure timely exercise of the rights of data subjects:

  • Right of access;
  • Right to rectification or deletion;
  • Right to limit the processing;
  • Right to object to the processing;
  • The right to transferability;
  • Right to withdraw consent.


7. Implementation of technical and organizational security measures, by design and by default

Both at the time of the definition of the means of processing and at the time of the processing itself, the appropriate technical and organizational measures to ensure a level of safety appropriate to the risk, taking into account the most advanced techniques, the implementation costs and the nature, scope, context and purpose of treatment, as well as the risks to the rights and freedoms of natural persons whose likelihood and severity may be variable, shall be implemented

The GDPR gives us some clues about the measures that need to be implemented by companies to comply with this obligation:

  • Pseudonymization and encryption of personal data;
  • Mechanisms to ensure the permanent confidentiality, integrity, availability and resilience of processing systems and services (ranging from physical security to password encryption);
  • Instruments allowing the restoration of availability and access to personal data in a timely manner in the event of a physical or technical accident;
  • Processes to regularly test, evaluate and evaluate the effectiveness of the implemented measures;
  • Compliance with a Code of Conduct, when applicable;
  • Certification procedure, when created by the supervisory authority;
  • Adoption of compliance instruments, namely regulations, standards and procedures specific to certain areas, departments or units, to assist and define internal processes for data protection, in order to contribute to the promotion of the implementation of the GDPR.


8. Registration of data processing activities

Companies with more than 250 data-processing workers likely to pose a risk to the rights and freedoms of data subjects, regular or covering sensitive categories of data, shall keep a written record, including in electronic form, of all processing activities under their responsibility.


9. Definition of internal procedures for notification of violations of personal data

All companies must ensure in advance that they have internal procedures in place to enable them to comply with the obligation to notify a breach of personal data, that can result in a risk to the rights and freedoms of natural persons, to the supervisory authority, without undue delay and until 72 hours after having knowledge of it, or, where applicable, to the data subject.

They should also create a record to document any data breaches, subject to notification or not.


10. Designation of a Data Protection Officer

When companies fall into one of the following situations, they must appoint a data protection officer:

(a) Public entities (with the exception of courts in the exercise of the judicial function);

(b) Large-scale data processing operations;

(c) Large-scale processing operations of special categories of data.

Outside of these situations, the designation of a data protection officer is not mandatory, but it is advisable.

More in Communication