1. Awareness 

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. 

They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. 

Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute. 

2. Designate a driver (DPO)

The appointment of a Data Protection Officer (DPO) is mandatory in 2018 if :

  • you are a public organism
  • you are a company whose basic activity leads you to carry out a regular and systematic monitoring of large-scale people or to treat on a large scale so-called "sensitive" data or relating to criminal convictions and offenses

"Conductor" of data protection compliance within his organization, the DPO is primarily responsible for:

  • Inform and advise the controller or subcontractor and their employees
  • To monitor compliance with the Regulation and national data protection law
  • To advise the organization on carrying out impact studies on data protection and to verify their implementation
  • Cooperate with the supervisory authority and be its point of contact

3. Mapping your personal data processing

In the framework of the future regulation, the organizations must keep a complete internal documentation on their processing of personal data and ensure that these treatments comply with the new legal obligations. You so have to list precisely:

  • The different treatments of personal data
  • The categories of personal data processed
  • The objectives pursued by the data processing operations
  • The actors (internal or external) who process these data; you will have to clearly identify subcontractor service providers
  • Flows by indicating the origin and destination of the data, in particular to identify any data transfers outside the European Union

4. Prioritize actions

You must, for each personal data processing within your organization, identify the actions to take to comply with current and future obligations:

  • Make sure that only data strictly necessary for the pursuit of your goals is collected and processed
  • Identify the legal basis on which your processing is based (consent of the person, legitimate interest, contract, legal obligation)
  • Review your information to ensure compliance with the requirements of the regulation
  • Check that your subcontractors know their new obligations and their responsibilities, make sure there are contractual clauses reminding the obligations of the subcontractor with regard to security, confidentiality and the protection of personal data processed
  • Plan how to exercise the rights of the data subjects (right of access, rectification, right to portability, withdrawal of consent ...)
  • Check the security measures in place

5. Manage risks

The impact study on data protection allows :

  • To build a personal data processing or a product respectful of the private life
  • To appreciate the impacts on the privacy of the persons concerned
  • To demonstrate that the fundamental principles of the Regulation are respected

When to conduct a Data Protection Impact Assessment (PIA)?

  • Before collecting data and implementing the processing
  • any processing likely to create high risks for the rights and freedoms of natural persons

What does a Data Protection Impact Study (PIA) contain?

  • A description of the treatment and its purposes
  • An assessment of the necessity and proportionality of the treatment
  • An assessment of the risks to the rights and freedoms of the persons concerned
  • The measures envisaged to address these risks and to comply with the Regulation

6. Organize internal processes

Organizing the processes involves :

  • Take into account the protection of personal data from the design of an application or a treatment (minimization of the collection of data with regard to the purpose, cookies, retention periods, information statements, collection of consent, security and confidentiality of data, ensure the role and responsibility of those involved in the implementation of data processing); to do this, follow the advice of the DPO
  • Sensitize and organize information feedback by building a training and communication plan for your employees
  • Deal with the complaints and requests of data subjects for the exercise of their rights (rights of access, rectification, opposition, right to portability, withdrawal of consent) by defining the actors and the modalities (the exercise rights must be available electronically, if the data has been collected by this means)
  • Anticipate data breaches by providing, in some cases, notification to the data protection authority within 72 hours and to the data subjects as soon as possible

7. Document compliance

In order to prove your compliance, you must establish a documentary record to demonstrate that the processing of personal data complies with the regulations.
Your file must include the following elements :

Documentation about your personal data processing :

  • The processing register (for processing managers) or the processing activity categories (for subcontractors)
  • Data Protection Impact Assessments (PIA, see step 4 here-above) for processing that may pose a high risk to the rights and freedoms of individuals
  • The framework for data transfers outside the European Union (in particular standard contractual clauses or BCRs)

Information of people:

  • The information mentions
  • The models for obtaining the consent of the persons concerned
  • The procedures put in place for the exercise of the rights of individuals

Contracts defining the roles and responsibilities of the actors : 

  • Contracts with subcontractors
  • Internal procedures for data breaches
  • Evidence that data subjects have given consent when the processing of their data is based on this basis 
Did this answer your question?