10 steps to prepare for the European Union’s General Data Protection Regulation

In less than 6 months, all companies operating with data belonging to residents of the European Union will be expected to meet the new General Data Protection Regulation (GDPR), coming into force on 25 May 2018. The requirements are tough, the penalties are big and if you haven’t started preparing for the new rules, it is time to do it as soon as possible in order to avoid a big fine which can go up to 4 % of your company global revenues.

In our previous article “European Union’s General Data Protection Regulation -what is it and what are the key changes?” we discussed in detailswhat is GDPR and what are the key changescoming from the new regulations. Now we are going to focus on some of the most important steps you and your company need to take to prepare for the upcoming rules in data protection.

1.Educate yourself and your team

In order to meet the new data protection requirements, it is essential that you and your team know what GDPR is and understand the requirements. One of the main goals of GDPR is to make businesses accountable for breaches and loss of data. That is why it is very important to have a full understanding of the risks and pay great attention to the security features.

2. Create a data protection plan

You might already have a data protection plan in place, but you will need to review and update it to ensure that it meets GDPR requirements.

3.Ensure individual rights

You should make sure that your procedures cover all the rights individuals have. The GDPR includes the following rights for individuals:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling

4.Prepare for the rules regarding the children’s personal data

In case your organization collects personal data of children you should definitely start thinking about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

5.Prepare for ‘Privacy by Design’

Under GDPR, you will have to show that you have integrated data protection into your processing activities. You should have clear policies in place to prove that you meet the required data protection standards under the GDPR.

6.Review and update your privacy notices and policies

One of the incoming GDPR requirements calls for clear and plain language in the provided privacy information. Your policies should be transparent and easily accessible.

7.Hire or appoint Data Protection Officers if needed

You should appoint A DPO to take responsibility for data protection complianceif you are:

  • a public authority (except for courts acting in their judicial capacity);
  • an organization that carries out the regular and systematic monitoring of individuals on a large scale;
  • an organization that carries out the large-scale processing of special categories of data e.g. health records.

8.Get ready for GDPR international data transfers

In order to ensure that the level of protection under the GDPR is not undermined, the GDPR imposes restrictions on the transfer of personal data outside the European Union.

Under GDPR, you may be able to transfer personal data.

  • subject to appropriate safeguards
  • on the basis of the ICO’s decision regarding levels of protection in specific territories

9.Set up a process for ongoing assessment

To make sure that you remain in compliance, you will need to monitor and make continuous improvement.

10.Small organization? Ask for help, if needed!

Small organizations are also going to be affected by GDPR. Some of them might not have the resources needed to meet the new requirements. If your organization is one of them, you might search for outside resources to get advice or help from technical experts to go through the process and minimize internal disruption.