GDPR 101: start with awareness
To start, you have to be sure that your employees in the company are aware of the GDPR. Inform workers about the upcoming changes and make sure that the key people know what GDPR means. They have to indicate on which things the company must intervene in order to be compliant with de GDPR.
The data protection officer
Check if you need a data protection officer (DPO): this is not required for each company. If you need one, you can start looking for a suitable candidate. A new, full-time worker is not necessarily required, think of a consultant, or an internal employee who can do this in addition to his existing job.
Where is your data?
Already start with the collection of your data. Look at what data you have saved and where it’s collected. This step cannot be underestimated; not only is it important to know where the data is located, it’s also crucial to know with which parties you have shared the information. According to the Privacy Commission an information audit can help here.
Improve privacy statement
Make sure your privacy statement is up to date. According to the GDPR companies must include additional information in their privacy statement such as the legal basis for the data processing, the duration for which you save the data and whether you share the data outside the EU. In addition, the user must be informed that he or she can complain to the Privacy Commission if there is any abuse of his or her data. Avoid difficult language: the privacy statement should be as clear as possible.
Make no mistake, the GDPR also applies to certain services your company may use. When your company works with an external company which processes personal data for you, the external company is also responsible for protecting the privacy of that data. Please note: when you use their services, you’re also responsible for checking if they’re compliant. So make sure you check the existing contracts and make the needed adjustments.
Rights of the data subject
In the GDPR the “data subject”, or the user whose personal data are collected, gets some additional rights. Companies must make it possible to fulfill those rights. Therefore, check whether a user can take following actions:
- Personal data access
- Improve or delete data
- Refuse direct marketing practices
- Automated decision making and profiling refuse
- Transfer data to other suppliers/companies
Normally you will have little trouble, since the GDPR is strongly build on the current privacy law.