GDPR, the General Data Protection Regulation, is a new privacy law and will be applicable in all European countries as of 25 May 2018. Under the GDPR, there are very high penalties, up to 20 million Euros or 4% of your worldwide turnover. Do you know what to do exactly, and where to start with the GDPR? Many companies are overwhelmed by the amount of information and find it hard to know where to start. In this article, I will share four tips to start off your GDPR project in the right direction.
“The main GDPR topics are: transparency, accessible and understandable information, adequate security, and being able to show compliance.”
What is the GDPR, and why?
Before you start with the GDPR, it is good to understand the background of why the GDPR was introduced in the first place. The main reason is to strengthen the position of the people whose personal data are used, and to give them more privacy control and protection. For nearly all companies, the GDPR also means that they should give more information, and document what they are doing with the personal data that they are collecting and using.
In the GDPR projects that I have done so far, from small companies to multinationals, the four main recurring topics are always:
- more transparency,
- accessible and understandable information,
- adequate security,
- and being to show compliance with the GDPR.
Where to start with GDPR?
Every journey, like the ‘GDPR journey’, starts with a first step. Below you will find an overview of just four essential tips to kick-start your GDPR project, no matter how big or small your company is, and no matter in which sector you are.
Let’s Get Started!
Tip 1: Create Privacy awareness
It all starts with Privacy awareness! Make sure that everyone in your organization is informed about the basic principles of Privacy, and know what is expected from them in order to comply with the GDPR.
It is important to prepare well, appoint a project team, and to allocate budget and resources for your GDPR project.
In the GDPR projects that I have done, I usually start with a “kick-off meeting” with the GDPR project team and stakeholders, to create Privacy awareness, introduce the GDPR, answer questions and to align the expectations for the GDPR project.
Tip 2: Keep track of personal data
One of the most important obligations of the GDPR is to keep a record of everything that you do with personal data, within your organization.
In this so-called Record of Processing Activities (ROPA), you should keep track of at least the following:
- what type of personal data do you use, and from who,
- what do you use it for, and why do you need it,
- where did the personal data come from,
- where does the personal data go to, and who has access,
- how long do you keep the personal data,
- how did you secure your personal data.
You have to document all of the above, so that you are able to show that your company is compliant with the GDPR, in case a Privacy authority asks you to do so.
In my experience, many organizations struggle with this, because they do not know how much personal data they have, and where they keep it exactly. Therefore, this can be a time-consuming activity.
Tip 3: Give information about personal data
After you have filled in the Record of Processing Activities, it is time to inform the persons involved (your employees, customers and suppliers) about what you do with their personal data. This is usually done in the form of a Privacy Policy, Privacy Notice or Privacy statement, which are basically the same.
If you already have an existing Privacy Policy, it probably needs to be updated because you have to give more privacy information according to the GDPR. But more is not always better. The GDPR also requires that this information should be easily accessible and understandable. So no difficult, long sentences, but short, simple sentences and pictograms instead.
Tip 4: Sign data processing agreements (DPA)
If you use external parties who process personal data on your behalf, the so-called “data processors”, then you should sign a data processing agreement (DPA) with these data processors. A data processing agreement contains the obligations that the data processor has. For example, a data processor should follow your instructions only, and may not use the personal data in other ways.
If you have already signed a data processing agreement with your data processors before May 2016, these agreements should be replaced with a new version, which meets the stricter requirements of the GDPR.
Want to know more about GDPR?
In this article, I have shared my Top 4 tips to start your GDPR project. If you want to know more about the GDPR, please let me know in a comment below.